picoCTF 2014: “Make a Face – 100 (Web Exploitation)” WriteUp

It looks like Daedalus is working on a new project to generate digital avatars for use online. After taking a look, at their site: http://makeaface.picoctf.com/ it seems like there is a pretty good chance the project isn’t completed, and may have some bugs. This might be the break we’ve been looking for to get inside their network.

It took me quite a while to figure this one out, especially since I haven’t written one single line of Perl in my life.

The code itself looks pretty safe. I was sure it has something to do with the open calls on lines 7-12. Directory traversal (e.g. open(/etc/passwd)) however is not an option, since every file name is prepended with the part of the face (head, hair, nose, mouth or eyes). No luck here.

After some googling I learned that Perl’s open  function can be used to execute shell commands using the pipe character. Well, that’s… Handy, I guess. For example, this would work:

But again: We can’t modify the whole file name, there is always the face part at the beginning of the string (e.g. we would end up with headls | ). After some playing around, I found out that it actually does not matter how the string starts. The following works as well:

So let’s try our payload (urlencoded; space = %20):

No signs of a flag, but there is strange data at the beginning of the response.

On line 19 in the source code, the characters of the files are ANDed. This is needed to combine the different face parts into one single valid bitmap. What does that mean for us? Every file handle has to contain the same data, otherwise we won’t get all the data. We can simply achieve this by putting our payload in every GET parameter:

There it is, a file called  SECRET_KEY_2b609783951a8665d8c67d721b52b0f8 !
After replacing our  ls with  cat SECRET_KEY_2b609783951a8665d8c67d721b52b0f8 :

Voilà, we got it! Flag:  why_did_we_stop_using_perl_again?

 

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.