Post

TFC CTF 2023 - LIST

Posted
By Nolliv22 1 min read

Description

  • Category: Forensic
  • Difficulty: EASY
  • Points: 50050

Who knew RCE was this useful?

Download:

Resolution

The list.zip contains only one file: list.pcap which is a network capture file1.

The challenge talks about RCE (Remote code execution), so we try to find some keywords (sh, bash) often used for RCE in the file.

We got some interesting info:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

$ strings list.pcap | grep bash
...
command=echo+%22ZmluZCAvaG9tZS9jdGYgLXR5cGUgZiAtbmFtZSAiVCIgMj4vZGV2L251bGw%3D%22+%7C+base64+-d+%7C+bash
command=echo+%22ZmluZCAvaG9tZS9jdGYgLXR5cGUgZiAtbmFtZSAiRiIgMj4vZGV2L251bGw%3D%22+%7C+base64+-d+%7C+bash
command=echo+%22ZmluZCAvaG9tZS9jdGYgLXR5cGUgZiAtbmFtZSAiQyIgMj4vZGV2L251bGw%3D%22+%7C+base64+-d+%7C+bash
command=echo+%22ZmluZCAvaG9tZS9jdGYgLXR5cGUgZiAtbmFtZSAiQyIgMj4vZGV2L251bGw%3D%22+%7C+base64+-d+%7C+bash
command=echo+%22ZmluZCAvaG9tZS9jdGYgLXR5cGUgZiAtbmFtZSAiVCIgMj4vZGV2L251bGw%3D%22+%7C+base64+-d+%7C+bash
command=echo+%22ZmluZCAvaG9tZS9jdGYgLXR5cGUgZiAtbmFtZSAiRiIgMj4vZGV2L251bGw%3D%22+%7C+base64+-d+%7C+bash
command=echo+%22ZmluZCAvaG9tZS9jdGYgLXR5cGUgZiAtbmFtZSAieyIgMj4vZGV2L251bGw%3D%22+%7C+base64+-d+%7C+bash
command=echo+%22ZmluZCAvaG9tZS9jdGYgLXR5cGUgZiAtbmFtZSAiYiIgMj4vZGV2L251bGw%3D%22+%7C+base64+-d+%7C+bash
command=echo+%22ZmluZCAvaG9tZS9jdGYgLXR5cGUgZiAtbmFtZSAiNCIgMj4vZGV2L251bGw%3D%22+%7C+base64+-d+%7C+bash
command=echo+%22ZmluZCAvaG9tZS9jdGYgLXR5cGUgZiAtbmFtZSAicyIgMj4vZGV2L251bGw%3D%22+%7C+base64+-d+%7C+bash
command=echo+%22ZmluZCAvaG9tZS9jdGYgLXR5cGUgZiAtbmFtZSAiMyIgMj4vZGV2L251bGw%3D%22+%7C+base64+-d+%7C+bash
...

They are commands sent to the server to be executed. After decoding (URL encoded) we can see a base64 encoded command:

1

command=echo "ZmluZCAvaG9tZS9jdGYgLXR5cGUgZiAtbmFtZSAiVCIgMj4vZGV2L251bGw=" | base64 -d | bash

We decode again:

1

find /home/ctf -type f -name "T" 2>/dev/null

After doing this for a few, we notice that the argument for -name in the commands are letters for the flag.

Here is the script to make it faster:

1
2
3
4
5
6
7
8
9
10
11
12
13

import base64

traces = open("traces", "r").readlines()

base64_commands = []

for t in traces:
    t = t.replace("command=echo+%22", "")
    t = t.replace("%22+%7C+base64+-d+%7C+bash", "")
    t = t.replace("%3D", "")
    t = t.strip()
    
    print(base64.b64decode(t+"="*(len(t)%4)).decode()[30], end="")

Finally, we get the flag: TFCCTF{b4s3_64_isnt_that_g00d}

Additional ressources

  1. pcap - Wikipedia 

Writeups, TFC CTF 2023
Forensic
This post is licensed under CC BY 4.0 by the author.