Description
You continue to play your first Attack/Defense CTF: it’s a little less panicky than an hour ago, but your self-esteem is still taking a beating. So much so, in fact, that you’re beginning to wonder whether all the time you’ve invested in training on Hackropole has been worthwhile…
It’s not all doom and gloom: you’re beginning to master network analysis, hardening techniques and you’re even submitting false flags in other teams’ services to fool the enemy! You’ve even learned to steal exploits from other teams very quickly, without even bothering to look at the services’ code!
While analyzing the network streams via Shovel and chatting with one of your teammates, you realize that you’re losing points on the Note a Bug service. This service is clearly one of the simplest in the whole A/D, and some teams have started patching the service to counter the first wave of exploits.
Your objective is now to steal the flags of three particular teams at this game tick (in the Hackropole scenario, there’s only one flag per “team”).
The three teams have different environments:
Red Beer
has not yet patched their service.d0g bUt h4ppY
seems to have simply modified the service’s execution environment to counter the exploit used by all teams. Your assumption is that they simply removed/bin/sh
from the service container. After all, there’s no reason why a legitimate use of the service should need/bin/sh
!Nordic Mollusks
modified the service’s call parameters. This team noticed that the checkers used by organizers only performed one action per connection: either a single write (1
) to set the flag, or a single read (2
) to check that the flag was present. They then decided to allow only one action for everyone, which also prevents the exploit but doesn’t break the checkers.
Notes:
- You are in a hurry, no binary is provided for this challenge. You must first exploit
Red Beer
team, using only the data in Shovel. - Once you’ve obtained a shell from
Red Beer
, you’ll be able to exfiltrate the binary (present in/app
) and go on to exploit the other two teams. - There is no strict order of validation, but we advise you to take the above teams in order.
- You must enter the flag found for the
XXX
team in the event entitledNote a Bug (XXX)
. - Flags are in
FCSC_<ascii>
format.
⚠️ Important: In this first challenge, the Linux kernel used to create the Shovel capture may be different from yours and may incur some differences in the offsets between the datain Shovel and the ones from the remote service.
Information:
- Shovel: https://localhost:8000/
- First team
Red Beer
:- Service:
nc localhost 4000
- Flag ID:
ChbbgHyPqJDQy5UaJve6uUGMDQHXWtc
.
- Service:
- Second team
d0g bUt h4ppY
:- Service:
nc localhost 4001
- Flag ID:
ZBrKMnQJGebtYHDXrNxxF6hU2DzwJzX
.
- Service:
- Third team
Nordic Mollusks
:- Service:
nc localhost 4002
- Flag ID:
YAu4kj47vbSDkqTEf2YttEcK88pXYpf
.
- Service:
Files
Author
Challenge Instructions
- First, download docker-compose.yml:
curl https://hackropole.fr/challenges/fcsc2024-pwn-note-a-bug/docker-compose.public.yml -o docker-compose.yml
- Launch the challenge by executing in the same folder:
docker compose up
- Then, in another console, access the challenge with Netcat:
nc localhost 4000
- Access the challenge at http://localhost:8000/.
In case you encounter problems, please consult the FAQ.
Flag
Submit your solution
You can submit your writeup for this challenge. Read the FAQ to learn how to proceed.
You need to be logged in to submit a writeup.