Tuesday, May 1, 2012

PlaidCTF 2012 - Editors (100 pts)

Past weekend, we participated in Plaid CTF 2012 (perhaps the best CTF I've ever played, kudos to PPP!). I haven't seen any write-up about "Editors" challenge so here we go...

At first sight, this challenge seems simple and even easy to solve by guessing. But it turned out to be not so easy but a real mess :)

What we know:
"We recently gained access to a log (handout.txt) of a robot operative interacting with computer. We are unsure what he was up to but we know  it is of the upmost importance to figure it out."
We are also given following hints:
1. In /etc/sudoers, editor=/usr/bin/emacs
2. Try out yourself!
3. By the state of the machine, we mean either 'on' of 'off'.
After opening .txt file we can read:
"We received the following from our keylogger.  Please submit to us the number of times the editor default in sudoers is set, followed by that field's final value, followed by the number of shells invoked, followed by the state of the machine."
That's all we have. So it's your chance now... try to solve it without our help! Or keep on reading if you are not brave enough! }:-) (seriously, try it yourself!).

- - -

Text was taken from a keylogger so it must contain keycodes. First task is building some kind of conversion table:

  • 1b     ->  <esc>
  • 1b 1b  ->  <esc><esc>  or  <alt-esc>
  • 01     ->  <ctrl-a>
  • 09     ->  <tab>  or  <ctrl-i>
  • 02     ->  <ctrl-b>
  • 1b 30  ->  <esc>0  or  <alt-0>
  • 18     ->  <ctrl-x>
  • 13     ->  <ctrl-s>
  • 03     ->  <ctrl-c>
  • 0a     ->  <ctrl-j>
Some ambiguities arise but we could try to solve it by context, or in other words, by reading different documentation like:
- teco:
- screen 

Below this is the final text we built (with big effort and pain :-)). We need to know when a new shell is opened and when a modified sudoers is written (this is important: sudoers should be truly modified in order to count). Our approach was to reproduce typed text in order to understand it better. See inline comments.

ssh user@1337box<enter>  [ No new shell is opened *in our box* ]
ksu -l<enter>     [ Now I'm root. But no new shell is opened! ]
ub3rstongdeemonsfromtehsewarsZZZ!<enter>   [ Ups, root password! ]
screen<enter>     [ Shell++ (=1) ]
<ctrl-a>S         [ Split window ]
<ctrl-a><tab>     [ Switch to lower window ]
<ctrl-a>c         [ Open shell in lower window -> Shell++ (=2) ]
tmux<enter>       [ Open tmux in lower window  -> Shell++ (=3) ]
<ctrl-b>%         [ Lower window is splitted   -> Shell++ (=4) ]
<ctrl-a><tab>     [ Switch to upper window ]
tmux<enter>       [ Open tmux in upper window  -> Shell++ (=5) ]
<ctrl-b>%         [ Upper window is splitted   -> Shell++ (=6) ]
emacs --daemon<enter>
EDITOR="emacsclient -nw"<enter>
<ctrl-a><tab>     [ Switch to lower window ]
<ctrl-b>o         [ Switch to lower-left window ]
EDITOR=vim visudo<enter>   [ Open sudoers with Vim ]
:%s/emacs/vim, /g<enter>   [ Now "editor=/usr/bin/vim," -> Comma is wrong! ]
:wq<enter>        [ Syntax error when saving to sudoers due to comma ]
<ctrl-b>&y        [ Kill lower-left window. We have now 1 lower window (and 2 upper) -> Shell-=2 (=4) ]
<ctrl-a><tab>     [ Switch to upper-right window ]
<ctrl-a>Q         [ We have 2 windows: left and right. We are at right (EDITOR="emacsclient -nw") ]
visudo<enter>     [ Open sudoers with Emacs ]
<ctrl-b>o         [ Switch to left window ]
ln -s /sbin/poweroff exec<enter>  [ I'm root so sym-link is created correctly ]
ed /etc/sudoers   [ Open sudoers with Ed (in left window; keep open Emacs in right one ]
<ctrl-b>o         [ Switch to right window (Emacs) ]
<esc>OB<esc>OB<esc>OB...   [ Move cursor down by 8 lines ]
<esc>OC<esc>OC<esc>OC...   [ Move cursor 31-times right ]
<esc>[3~<esc>[3~...        [ Delete 7 times ]
teco              [ We add "teco" ]
<ctrl-b>o         [ Switch back to left window (Ed) ]
w /etc/sudoers<enter>   [ Save /etc/sudoers ]
q<enter>          [ Close Ed ]
<ctrl-b>o         [ Switch to right window (Emacs) ]
<ctrl-x><ctrl-s>  [ Save sudoers.tmp (but not real sudoers file!!) ]
<ctrl-x><ctrl-c>  [ Close Emacs -> Save /etc/sudoers AGAIN!! ]
<ctrl-b>&y        [ Only 1 window -> Shell-=2 (=2) ]
<ctrl-a>ky        [ Shell-- (=1) -> Only Screen process is left running ]
./exec<enter>     [ Still root (ksu) -> Shutdown machine -> off ]

Summary, we have done 2 (real) changes in sudoers, "teco" remained as editor in sudoers (last successful modification was done with Emacs), we have opened 6 shells and machine state is "off".

The solution to the challenge is:


  1. That no new shell was launched by ssh is interesting! What box did you test this on?

  2. By "our box" I was referring to the machine launching ssh from, I mean, the ssh client. Of course, a new shell is opened on server side but I was told by the organization not to count it.

  3. ops ... we forgot the /usr/bin/ :(