Hi all,
at October 18th D-CTF 2014 was started and we participated in the CTF via irctf team.
TL;DR
In Exploit 300 challenge we are given an IP (10.13.37.33) and some hints :
People say that if you’re still angry at 80, you’re not an angry young man, just a grumpy old git. 10.13.37.33
Hint: gitlist.
It seems there should be a repo using gitlist. So I check this url :
1
|
|
I can remember that some time ago a vulnerability existed in gitlist so i Google it and find this :
1
|
|
There’s not too much so i use the exploit and Upload the system($cmd) shell.
1
|
|
After that i can run any command in www-data permission.
Then after some digging i found the flag and submit it :
1
|
|
1
|
|
Ok at this point we’ve got 300 points.
With a brief looking at Exploit 400 or seeing a file named e4.hint we notice this :
You can’t kill a ghost!
Hint: You need to own Exploit 3.
After some searching around a file get my attention : KAKE_exe in /var/www/git/cache
Honestly i dont really know where it comes from So i execute this command :
1
|
|
and download the file, it looks like an ELF Executable 64-bit file. Then i check for some string and verify that it is the ghost exec.
since i notice on the server it removes itslef i use chattr +i
on the file so it cannot be removed.
Then i check the file via nm and objdump and it seems there is a string checking in _Z7processPv Function. After reversing you can see that the input is checking with this string :
1
|
|
And after using this string we’ve got the flag :
1 2 3 |
|
And there we go another 400 point.
if there is any question, let me know about it.
because of lacking time, i write this write-up briefly, Feel free to ask any question.
Thanks, HAMIDx9