Published on

TFCCTF 2023 – List

Authors
  • avatar
    Name
    Lumy
    Twitter

List (50 points, 215 solves)

Who knew RCE was this useful?

Table of Contents

  1. A network capture
  2. Solution

A network capture

The challenge gives us a network capture: list.pcap

Let's run wireshark and analyse network packets

Solution

First, we can see a webshell that is accessible through POST requests using TCP following :

HTTP/1.1 200 OK Date: Wed, 26 Jul 2023 23:50:14 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified:
Wed, 26 Jul 2023 23:31:48 GMT ETag: "14c-6016c405fc14c" Accept-Ranges: bytes Content-Length: 332
Vary: Accept-Encoding Content-Type: text/html

<!DOCTYPE html>
<html>
  <head>
    <title>My safe website!</title>
  </head>
  <body>
    <h1>Safe:</h1>
    <form action="index.php" method="POST">
      <label for="command">Enter a command:</label>
      <input type="text" id="command" name="command" />
      <input type="submit" value="Execute" />
    </form>
  </body>
</html>

Let's filter on POST request using this filter : http.request.method == "POST"

Finally we can see several requests like this one :

POST /index.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64;
rv:109.0) Gecko/20100101 Firefox/110.0 Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type:
application/x-www-form-urlencoded Content-Length: 104 Origin: http://localhost Connection:
keep-alive Referer: http://localhost/ Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1
command=echo+%22ZmluZCAvaG9tZS9jdGYgLXR5cGUgZiAtbmFtZSAiVCIgMj4vZGV2L251bGw%3D%22+%7C+base64+-d+%7C+bashHTTP/1.1
200 OK Date: Wed, 26 Jul 2023 23:51:30 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 11
Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8

<pre></pre>

Using URL decode urldecoder.org we have this base64 encoded string : echo "ZmluZCAvaG9tZS9jdGYgLXR5cGUgZiAtbmFtZSAiVCIgMj4vZGV2L251bGw=" | base64 -d | bash

Finally, we can retrieve the flag by analysis each POST request used :

└─$ echo "ZmluZCAvaG9tZS9jdGYgLXR5cGUgZiAtbmFtZSAiVCIgMj4vZGV2L251bGw=" | base64 -d
find /home/ctf -type f -name "T" 2>/dev/null
┌──(kali㉿kali)-[~]
└─$ echo "ZmluZCAvaG9tZS9jdGYgLXR5cGUgZiAtbmFtZSAiQyIgMj4vZGV2L251bGw=" | base64 -d
find /home/ctf -type f -name "C" 2>/dev/null
┌──(kali㉿kali)-[~]
└─$ echo "ZmluZCAvaG9tZS9jdGYgLXR5cGUgZiAtbmFtZSAiRiIgMj4vZGV2L251bGw=" | base64 -d
find /home/ctf -type f -name "F" 2>/dev/null
└─$ echo "ZmluZCAvaG9tZS9jdGYgLXR5cGUgZiAtbmFtZSAiQyIgMj4vZGV2L251bGw=" | base64 -d
find /home/ctf -type f -name "C" 2>/dev/null
┌──(kali㉿kali)-[~]
└─$ echo "ZmluZCAvaG9tZS9jdGYgLXR5cGUgZiAtbmFtZSAiVCIgMj4vZGV2L251bGw=" |  base64 -d
find /home/ctf -type f -name "T" 2>/dev/null
┌──(kali㉿kali)-[~]
└─$ echo "ZmluZCAvaG9tZS9jdGYgLXR5cGUgZiAtbmFtZSAiRiIgMj4vZGV2L251bGw=" | base64 -d
find /home/ctf -type f -name "F" 2>/dev/null

...

To automate the gathering base64 process we can use this command :

strings list.pcap | grep bash

Flag : TFCCTF{b4s3_64_isnt_that_g00d}