GoogleCTF from this year was hard. I couldn't solve most of the challenges, the ones that I made took me a lot of time to finish. But that's why we're here, to learn from a good challenge and from mistakes made during attacks. That's why I'm looking forward to write ups for other challenges and I'm publishing ones for the challenges, that I have finished. Let's start from the one with biggest number of solves - mindreader.
Quite descriptive, right?
Mindreader - Easy
Viewing the page provided in the challenge gives us a little input box.
Very simple, nothing hidden in the code, no external files so let's focus on the input. Entering some words, phrases in it doesn't seem to work - we always get redirected to the Not Found page.
Can it be a hint? Maybe the code is looking for a file in the server named just as in our input. If that's the case and code is not properly implemented, it can be vulnerable to local file intrusion attack.
LFI occurs, when programmer does not correctly sanitaze the page include, which allows an attack to inject directory traversal characters and get system information essential to further exploit the server. Here you can see an example of such bad code.
As we now know the basics, let's try to get some files using this attack and see if it works. First one - /etc/passwd. To get this working you have to enter ../../../../etc/passwd path in the input box, click submit and webpage will redirect you to the file. That's how we'll be trying to access this and other resources.
Great, we got it! But what can we do with it, there's no flag here so we have to keep looking further. I came with idea to grab /etc/shadow and then crack the passwords.
But this didn't work out. We have to keep looking further, maybe in the .bashrc? Any clues?
Nope. When trying proc/version, we get forbidden, so that's something new.
Every file in /proc seems to be protected. But after good (and educational!) few hours of looking, I've managed to find something in Linux man pages. Let's take a look at /proc/[pid]/environ.
As enviroment can be very useful, I decided that that's the path I wanna go in this challenge. But as /proc is forbidden, we have to find a different way. Here comes Stackoverflow to the rescue, let's look at this thread!
But trying /dev/fd/environ is once again - not found. I have to be missing something. Let's rethink that - we use a symlink to get into /proc/self/fd, and now we have to go back one directory and then jump to envrion. Got it!
And along with the environ, there's a hidden flag!