m0leCon CTF 2023 Teaser is an online jeopardy-style CTF organized by pwnthem0le. The top 10 teams will be invited to the final event, which will take place in Fall 2023 at Politecnico di Torino.
The challenge basically simulates a shell and gives the user the possibility to create, copy and delete files. The m0lecat program loaded into the shell allows to print the content of such in-memory files created with the shell or files actually present in the file system
The original flag has been substituted by ptm{sample_flag}
Both the Dockerfile and the docker-compose.yaml files are provided to launch the server through Docker on port 6745
Vulnerability:
The client has the ability to exploit a use-after-free bug related to the logic of the rm and ln operations combined. While the cp operation actually creates a new file in memory with the same content of the original one, the ln command only writes the pointer to the file into another position of the file system array. The rm operation doesn't handle correctly the possibility of such hard links.
It is possible to get a file which points to the same memory location of the first position in the file system array, which is dedicated to the executable m0lecat.
The client can write a shellcode to the executable location, spawning a shell to retrieve the ./flag.txt file
touch tmpln m0lecat tmp2rm tmprm tmp2touch tmp(inject shellcode)m0lecat tmp(run shellcode)
A mistake on the run_executable() function allowed to exploit a bug and retrieve the flag, due to the fact that every real file that gets opened for print is not actually removed from the program virtual mapped memory:
-
m0lecat flag.txt
This will load the flag file into memory, but a first check doesn't allow it to be printed -
m0lecat /proc/self/mem
This will print the memory of the program, now containing the flag. The check on the flag format is someway passed in this case and the flag gets printed
The python script solve.py should be able to recover automatically the flag.