Northsec 2017 CTF – Rao’s missile writeup

I attended the physical CTF NorthSec with my team 0-bae. NorthSec is held in Montréal every year and I have not missed it once since  its beginning 5 years ago. It is even more special for me because its first edition was the first CTF that I even attended. And it got me hooked. Four years later, I can see my progress both me and my team since we finished at the 8th place.

For this challenge, we were explained that the provided link was for a nuclear missile launch only usable by the Supreme Leader Rao. He knew the code for this action and we had to retrieve it.

The website contained a launching code and no other links. The launching code was obviously not the flag, and had the format of a MD5 hash. It was not a publicly known hash since this is not a cracking challenge, I looked elsewhere. During CTFs, I always use the browser add-on Wappalyzer which analyze the browsing website and, if possible, displays which technologies it uses (OS, web server, web framework and libraries). In this case, it told me that it was a Flask application which probably runned on a Linux OS.

As a first injection attempt, I saw the GET paramter t in the URL which is usually a scenario for LFI, Local File Inclusion. I tested forthis vulnerability with a common Linux payload and its exploitation worked. Even more, this tell us that the Flask application runs as root.

There were no user with a password so no hash to crack. I then continued with the LFI. The main file of a Flask application is usually named “app.py” so I checked for it:

I made a beauty of this file to ease its reading.

We get multiple elements from this. Firstly, the application runs in debug mode. I looked for the web debug interface but it was probably disabled. Even if I would have find it, I would have to find a way to bypass the pin protection. Other than that, we see that the key parameter is provided as a command line argument, and then hashed with the MD5 algorithm. That “key” parameter is without a doubt the flag and its hashing is displayed on the webpage.

At this part, we had the webserver source code and full read access on the filesystem. I had to brainstorm with my teammates since I was out of idea to get the command line parameter. We finally got it by looking in the “/proc/self/” directory which executed by flask is the paramter of its process.

We got the flag! It helped my that I knew my way with Flask. Great challenge from a great CTF.

Posted in

Comments are closed, but trackbacks and pingbacks are open.