Comments on: [HackIM 2016] [Web 400 – SmashTheState] Write Up

By: The lsd

The lsd — Thu, 04 Feb 2016 19:49:48 +0000

In reply to an0n.

I did it on saturday afternoon GMT+1, it worked fine, excepted that the flag file was readable only some times. I had to reload my sudo cat multiple times to have the file content.

Maybe someone else was trying to modify the sudo at the same time.

(Just in case, that wasn’t me who stucked the challenge ^^’, I think it stupid…)

Enjoy

The lsd

By: The lsd

The lsd — Thu, 04 Feb 2016 19:42:51 +0000

In reply to KiFastSystemCallRet.

Actually, I don’t think it would have worked, as there is “if (isset($_SESSION[‘user’])” before the upload.
If you change your session id, the PHP will not recognise you anymore and you’ll not be able to upload, and then to inject your commands in the passthru.

Enjoy

The lsd

By: an0n

an0n — Thu, 04 Feb 2016 09:39:18 +0000

the challenge was unsolvable in almost all of the time. someone modified the sudoer file to restrict passwordless sudo access. btw, here is my simple race condition exploit to get a reverse shell:
http://pastebin.com/4wsSGPTK

the sudoer restriction:
http://pastebin.com/wdM64Grv

the timestamp of sudoer file:
-r–r—– 1 root root 786 Jan 30 12:02 sudoers
$ date
Sun Jan 31 12:46:48 UTC 2016

unfortunately the organizers didn’t deal with this (despite my request).

By: KiFastSystemCallRet

KiFastSystemCallRet — Thu, 04 Feb 2016 08:29:41 +0000

so couldn’t you execute command by changing $tmp_file ?
my mean is change your session_id to “aaaa;ls -la;cat /”
so the tmp_file should be
$tmp_file = ‘/var/www/html/tmp/upload_aaaa;ls -la;cat /’;

passthru(“cat /var/www/html/tmp/upload_aaaa;ls -la;cat /* 2>&1”);

By: hehehe

hehehe — Wed, 03 Feb 2016 17:34:59 +0000

how to view /etc/passwd i don’t know …