TFC CTF 2023 - LIST
Description
- Category:
Forensic
- Difficulty:
EASY
- Points:
500
→50
Who knew RCE was this useful?
Download:
Resolution
The list.zip
contains only one file: list.pcap
which is a network capture file1.
The challenge talks about RCE (Remote code execution), so we try to find some keywords (sh
, bash
) often used for RCE in the file.
We got some interesting info:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ strings list.pcap | grep bash
...
command=echo+%22ZmluZCAvaG9tZS9jdGYgLXR5cGUgZiAtbmFtZSAiVCIgMj4vZGV2L251bGw%3D%22+%7C+base64+-d+%7C+bash
command=echo+%22ZmluZCAvaG9tZS9jdGYgLXR5cGUgZiAtbmFtZSAiRiIgMj4vZGV2L251bGw%3D%22+%7C+base64+-d+%7C+bash
command=echo+%22ZmluZCAvaG9tZS9jdGYgLXR5cGUgZiAtbmFtZSAiQyIgMj4vZGV2L251bGw%3D%22+%7C+base64+-d+%7C+bash
command=echo+%22ZmluZCAvaG9tZS9jdGYgLXR5cGUgZiAtbmFtZSAiQyIgMj4vZGV2L251bGw%3D%22+%7C+base64+-d+%7C+bash
command=echo+%22ZmluZCAvaG9tZS9jdGYgLXR5cGUgZiAtbmFtZSAiVCIgMj4vZGV2L251bGw%3D%22+%7C+base64+-d+%7C+bash
command=echo+%22ZmluZCAvaG9tZS9jdGYgLXR5cGUgZiAtbmFtZSAiRiIgMj4vZGV2L251bGw%3D%22+%7C+base64+-d+%7C+bash
command=echo+%22ZmluZCAvaG9tZS9jdGYgLXR5cGUgZiAtbmFtZSAieyIgMj4vZGV2L251bGw%3D%22+%7C+base64+-d+%7C+bash
command=echo+%22ZmluZCAvaG9tZS9jdGYgLXR5cGUgZiAtbmFtZSAiYiIgMj4vZGV2L251bGw%3D%22+%7C+base64+-d+%7C+bash
command=echo+%22ZmluZCAvaG9tZS9jdGYgLXR5cGUgZiAtbmFtZSAiNCIgMj4vZGV2L251bGw%3D%22+%7C+base64+-d+%7C+bash
command=echo+%22ZmluZCAvaG9tZS9jdGYgLXR5cGUgZiAtbmFtZSAicyIgMj4vZGV2L251bGw%3D%22+%7C+base64+-d+%7C+bash
command=echo+%22ZmluZCAvaG9tZS9jdGYgLXR5cGUgZiAtbmFtZSAiMyIgMj4vZGV2L251bGw%3D%22+%7C+base64+-d+%7C+bash
...
They are commands sent to the server to be executed. After decoding (URL encoded) we can see a base64 encoded command:
1
command=echo "ZmluZCAvaG9tZS9jdGYgLXR5cGUgZiAtbmFtZSAiVCIgMj4vZGV2L251bGw=" | base64 -d | bash
We decode again:
1
find /home/ctf -type f -name "T" 2>/dev/null
After doing this for a few, we notice that the argument for -name
in the commands are letters for the flag.
Here is the script to make it faster:
1
2
3
4
5
6
7
8
9
10
11
12
13
import base64
traces = open("traces", "r").readlines()
base64_commands = []
for t in traces:
t = t.replace("command=echo+%22", "")
t = t.replace("%22+%7C+base64+-d+%7C+bash", "")
t = t.replace("%3D", "")
t = t.strip()
print(base64.b64decode(t+"="*(len(t)%4)).decode()[30], end="")
Finally, we get the flag: TFCCTF{b4s3_64_isnt_that_g00d}
Additional ressources
This post is licensed under
CC BY 4.0
by the author.