NahamCon2021 CTF - $Echo - Writeup

Introduction

Today we're doing a CTF writeup for the $Echo challenge from the NahamCon2021 CTF. $Echo is a web-based challenge and after we started the challenge we received a URL to interact with:


http://challenge.nahamcon.com:32212


After some testing, we find that the web-app repeats alpha-numeric input from the user and outputs it to the page, except:

The input may not be longer than 15 characters long, and the string may not include special characters, with a few exceptions.

The exempt special characters being forward slash ( / ), periods ( . ), backticks ( ` ), and less-than bracket ( < ). With the backticks, we can break out of the command being issued by the web-app and perform command injection on the web-server.

input `ls`


We can assume that index.php is the file contains the web-app we're interacting with, but we'll look at that later. For now, let's locate the flag:

input `ls ..`


The flag is located one directory above our web-root directory. We could access it with the following command:

input `cat ../flag.txt`


But the string exceeds the 15 character limit for our commands. This is where it's important to know how the web-app works, so we use the command injection to read the index.php file:

input `cat index.php`


This is promising, but it looks like the code has been cut off, so let's view the source of this page to get all the info:

view-source:http://challenge.nahamcon.com:32312/?echo=`cat+index.php`


So we can see here that the command being sent by the web-app to the server is:

bash -c ‘echo “ . $to_echo . ”’"

In this case, $to_echo is the input we send the to web-app. Now that we know that the web-app is already instructing the server to echo something, we can cat out the flag file by shortening our command injection string to fit the echo command being sent:

input `< ../flag.txt`


The previous command string in it's entirety was:

bash -c 'echo < ../flag.txt'

Meaning that the echo command was taking input from the flag.txt file in the directory above the working directory.

Summary

The web-app was vulnerable to command injection through the use of backticks to escape the command being sent.  We were able to enumerate the web-app code through command injection and web-page source view.  This allowed us to find the correct command injection to obtain our objective flag file.

Finish

Comments

Post a Comment

Popular posts from this blog

TryHackMe - Windows PrivEsc - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Windows PrivEsc room hosted at https://tryhackme.com/room/w indows10privesc . For this walkthrough, we'll be using two virtual machines (VMs), a Kali Linux VM as our attacking machine, and the deployed Windows 10 client as the the victim machine. Task 1 - Deploy the Vulnerable Windows VM Press the green button here: The Windows machine should come online after a minute or two. The IP address of the machine can be found here: Of course, the actual IP address will probably be a different one from the one in the screenshot.  For the examples, however, we will use the IP address of 10.10.227.113 RDP should be available on port 3389 (it may take a few minutes for the service to start). You can login to the "user" account using the password "password321": xfreerdp /u:user /p:password321 /cert:ignore /v:10.10.227.113 Questions: Deploy the Windows VM and login using the "user" ...
Read more

TryHackMe - Reversing Elf - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Reversing ELF room hosted at https://tryhackme.com/room/ reverselfiles . For this walkthrough, we'll be using one virtual machine (VMs), a Kali Linux VM as our attacking machine. Task 1 - Crackme1 Questions What is the flag? Download the Task 1 Task File Copy it to your working directory Give the file executable permissions Run the file chmod +x crackme1 ./crackme1 Task 2 - Crackme2 Questions What is the super secret password ? Give the file executable permissions Run Ltrace on the file with a test string chmod +x crackme2 ltrace ./crackme2 test ./crackme2 passwordFoundInPreviousStep Task 3 - Crackme3 Questions What is the flag? Give the file executable permissions Run strings on the file Echo the base64 string you found, pipe it into Base64 decode chmod +x crackme3 strings crackme3 echo “ base64stringFoundInPreviousStep ” | base64 -d Task 4 - Crackme4 Questions What is the password ? Give the file execu...
Read more

TryHackMe - Web Enumeration - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Web Enumeration room hosted at https://tryhackme.com/room/ webenumerationv2 . For this walkthrough, we'll be using two virtual machines (VMs), the TryHackMe AttackBox VM as our attacking machine, and the deployed vulnerable Web clients as the the victim machines. Task 1 - Introduction Questions: Let's get started No answer needed Task 2 - Manual Enumeration Questions I gotcha! No answer needed Task 3 - 1. introduction to Gobuster Questions No questions No answer needed Task 4 - 1.1 Gobuster Modes Questions I get the hang of it! No answer needed Task 5 - 1.2 Useful Wordlists Questions No questions No answer needed Task 6 - 1.3 Practical: Gobuster (Deploy #1) Questions Run a directory scan on the host. Other than the standard css, images and js directories, what other directories are available? echo “10.10.164.99 webenum.thm” >> /etc/hosts gobuster dir -t 16 -u http://webenum.thm -w /usr/sha...
Read more