Iris CTF 2023 - baby?socat

Info

22 Solves (2.1% of users)
478 Points (500 Points)

description

love sockets and cats and socat and ls

Socat version on remote is 1.7.4.1
nc socat.chal.irisc.tf 10000

By: sera

The biggest clue to solving this problem is the SOCAT VERSION for intended solution.

for player

.
├── chal.c
└── run.sh

Analysis

Mitigation

X

Source Code

#!/bin/bash
echo -n "Give me your command: "
read -e -r input
input="exec:./chal ls $input"

FLAG="fakeflg{REDACTED}" socat - "$input" 2>&0

The socat is set up execute a chal binary with the parameters ls then the input.

#include <stdlib.h>
#include <unistd.h>

int main(int argc, char *argv[]) {
    if(argc < 2) return -1;
    if(setenv("FLAG", "NO!", 1) != 0) return -1;
    execvp(argv[1], argv+1);
    return 0;
}

The source code of chal binary is just sets the FLAG env empty.

Vulnerability & Solve 1 (intended)

It would be good to refer to the public writeup for this part. For reference, the change log in the public writeup can be found at the pkgsrc.se/net/socat.

• https://github.com/Seraphin-/ctf/blob/master/irisctf2023/socat.md

Finally, The setenv("FLAG", "NO!", 1) is to help prevent any unintended solutions. It retains environment variable only during execution. It would be like I can print env with ls, but I can’t. I concentrated this part but it was a waste of time. I haven’t been able to solve this challenge.

Solve 2 (unintended)

Looking at the Discord, there were many people who solved the challenge in this way. (I think it would be okay to use this solution for later. whenever..)

socat [options] <address> <address>

e.g.
socat -d -d - TCP4:www.example.com:80

As for the solution, here it is: !!system:env

The system is type of socat address. If you use !!, two single addresses specifications can be combined to form a dual type address for one bytestream.

SYSTEM:<shell-command>
Forks a sub process that establishes communication with its parent process and invokes the specified program with system() . Please note that <shell-command> [string] must not contain ',' or "!!", and that shell meta characters may have to be protected. After successful program start, socat writes data to stdin of the process and reads from its stdout.

You can find another type of socat address.:

• www.dest-unreach.org/socat/doc/socat.html

Reference

• https://copyconstruct.medium.com/socat-29453e9fc8a6
• http://www.dest-unreach.org/socat/doc/socat.html