Note a Bug (Red Beer)

pwn attack-defense x86/x64 FCSC 2024 solved on

star

Description

You continue to play your first Attack/Defense CTF: it’s a little less panicky than an hour ago, but your self-esteem is still taking a beating. So much so, in fact, that you’re beginning to wonder whether all the time you’ve invested in training on Hackropole has been worthwhile…

It’s not all doom and gloom: you’re beginning to master network analysis, hardening techniques and you’re even submitting false flags in other teams’ services to fool the enemy! You’ve even learned to steal exploits from other teams very quickly, without even bothering to look at the services’ code!

While analyzing the network streams via Shovel and chatting with one of your teammates, you realize that you’re losing points on the Note a Bug service. This service is clearly one of the simplest in the whole A/D, and some teams have started patching the service to counter the first wave of exploits.

Your objective is now to steal the flags of three particular teams at this game tick (in the Hackropole scenario, there’s only one flag per “team”).

The three teams have different environments:

  • Red Beer has not yet patched their service.
  • d0g bUt h4ppY seems to have simply modified the service’s execution environment to counter the exploit used by all teams. Your assumption is that they simply removed /bin/sh from the service container. After all, there’s no reason why a legitimate use of the service should need /bin/sh!
  • Nordic Mollusks modified the service’s call parameters. This team noticed that the checkers used by organizers only performed one action per connection: either a single write (1) to set the flag, or a single read (2) to check that the flag was present. They then decided to allow only one action for everyone, which also prevents the exploit but doesn’t break the checkers.

Notes:

  • You are in a hurry, no binary is provided for this challenge. You must first exploit Red Beer team, using only the data in Shovel.
  • Once you’ve obtained a shell from Red Beer, you’ll be able to exfiltrate the binary (present in /app) and go on to exploit the other two teams.
  • There is no strict order of validation, but we advise you to take the above teams in order.
  • You must enter the flag found for the XXX team in the event entitled Note a Bug (XXX).
  • Flags are in FCSC_<ascii> format.

⚠️ Important: In this first challenge, the Linux kernel used to create the Shovel capture may be different from yours and may incur some differences in the offsets between the datain Shovel and the ones from the remote service.

Information:

  • Shovel: https://localhost:8000/
  • First team Red Beer :
    • Service: nc localhost 4000
    • Flag ID: ChbbgHyPqJDQy5UaJve6uUGMDQHXWtc.
  • Second team d0g bUt h4ppY :
    • Service: nc localhost 4001
    • Flag ID: ZBrKMnQJGebtYHDXrNxxF6hU2DzwJzX.
  • Third team Nordic Mollusks :
    • Service: nc localhost 4002
    • Flag ID: YAu4kj47vbSDkqTEf2YttEcK88pXYpf.

Files

Author

Cryptanalyse

Challenge Instructions

  1. First, download docker-compose.yml:
    curl https://hackropole.fr/challenges/fcsc2024-pwn-note-a-bug/docker-compose.public.yml -o docker-compose.yml
  2. Launch the challenge by executing in the same folder:
    docker compose up
  3. Then, in another console, access the challenge with Netcat:
    nc localhost 4000
  4. Access the challenge at http://localhost:8000/.
⚠️ Important: You must solve the challenge by interacting with the Docker container through the exposed network port. Any other way is not considered valid.

In case you encounter problems, please consult the FAQ.

Flag

Share my success on Fediverse, Twitter, Linkedin, Facebook, or via email.

Submit your solution

You can submit your writeup for this challenge. Read the FAQ to learn how to proceed.

You need to be logged in to submit a writeup.

Writeups

There are no public solutions for this challenge yet, but you can submit yours after getting the flag.