This weekend I played the codegate2010 capture the flag pre-quals located at http://ctf.codegate.org .
First a big thx to the organisators and the challenge contributors, it was an excellent ctf even tough I'd have loved to have 4-6 hours more time :)
The first challenge had following description:
beist likes drinking.
feel free to give a shot to him when you meet him.
this challenge doesn't need to give many hints to you guys.
just get to http://ctf7.codegate.org/31337/
YOU NEED TO GET A SHELL AND SEE A FILE THAT CONTAINS A FLAG OF THIS CHALLENGE. GOOD LUCK.
While looking at the website I played around with the hello.cgi, to see what I can achieve.
So we have no permissions to read it. I checked /proc on the debian vm I was using for this ctf and found that /proc/loadavg can be used.
If we lookup some description about loadavg from redhat:
This file provides a look at the load average in regard to both the CPU and IO over time, as well as additional data used by "uptime" and other commands.
A sample /proc/loadavg file looks similar to the following:
0.20 0.18 0.12 1/80 11206
The first three columns measure CPU and IO utilization of the last one, five, and 10 minute periods.
The fourth column shows the number of currently running processes and the total number of processes.
The last column displays the last process ID used.
Good with that we can work, so what we need to have a successful exploitation.
a way to get pid /proc/loadavg in this case
a way to get our request to be executed long enough to catch it with /proc/loadavg
an injection client
One we have with the index.php?page=[path] page
That we have working as well
That's where the hello.cgi comes in handy, as it does math calculations based on the user input you can let it compute a huge number and it will be executed for a long time so we can use this as our base request.
This can be simply done with either python, curl or even firefox as the injection is done over the User-Agent field.
Here's the script to get the environ of the last pid found.
And here's the script which injects the command execution into the hello.cgi request.
ps: i know there's no error checking :p
Result Let's run it all together then.
In console #1 let the first script run:
Keep this one running
In console #2 run the second script:
And now you should see in the console #1 the results of our command showing up
And we can clearly see what we need to read:
So just changing the command from ls -al to cat MUST_GRAB_THIS_KEY_FILE will do the job.