Friday, January 27, 2012

Mozilla CTF 2012 - IP Panel

The description for this challenge:

"Exploit Mozillas IP Panel! This IP Panel is used for whitelisting IP addresses. We know that the webinterface will call a bash script that will execute an iptables command without validation. Find the flag somewhere in /home/ippanel/ and submit it!"

So it's basically an issue with input validation of a text box. The input from the text box gets passed to something like a system("iptables $input"). The only validation that occurred here was that you can't use the letter "p" and the "/" character. "p" would get switched with " - trololololol, no p allowed :p -".

I started with a valid iptables command, "-L" and used the pipe command "|". In the input field, I put "-L | ls -hal" to get a directory listing. The output was "total 14", so this indicated that the output only prints the last line of whatever was returned from the system call.

To do a complete directory listing:

-L | ls -hal | head -1 | tail -1
-L | ls -hal | head -2 | tail -1
-L | ls -hal | head -3 | tail -1
-L | ls -hal | head -4 | tail -1

and so on until "head -14".

While doing the manual directory listing, I was thinking about how to overcome the challenge of changing my directory path into /home/ippanel/ since it has p's and forward slashes. I was going to simply substitute the p's with *, as in "cd i*anel". However, when I got done with the directory listing, I noticed the flag was already in the current working directory named "th15-15_th3_fl4g.txt".

Just cat the file and we're done:
"-L | cat th15-15_th3_fl4g.txt"


  1. a 2 commands way was that too:

    "a | echo *"

    that returns you this:

    CSS index.php th15-15_th3_fl4g.txt

    and then

    "a | cat th15-15_th3_fl4g.txt"

    Both works great.
    GZ you all!

    1. @litsnarf, much simpler solution. Nice.