README.md

STAY ~/ CTF 2022: VACCINATED EDITION

The service is a simple key-value storage.

Users can REGISTER and PUT some information to storage, also they can GET the information back.

In order to store protected information, users can choose ENCRYPTED option, then the information will be stored as encrypted data inside the storage.

TLDR:

Read a hidden .hash file that contains a SHA-256 hash of user's password
OpenSSL is running with -iter 16 option, which is using PBKDF2 function internal
Exploit a well-known property of PBKDF2 which is described in Wikipedia article (HMAC collisions)
Decrypt the flag content using a password hash from .hash file (we don't really need the actual password)

FIX:

Hide the .hash file somehow (rename/move/etc).

TLDR:

The service doesn't quote arguments of commands (for example: openssl ${CipherAlgorithm} -e -iter 16 -k ${key} -iv ${iv})
So we can control arguments of most commands, it may lead to vulnerability
dd command is interesting: we can set of=/proc/self/mem and overwrite the process memory!
Also we can set seek=0x7ffc00000000 to jump somewhere near the stack (this is a lower bound address)
So now we need to leak actual stack pointer, we will find a PID of running dd and read /proc/PID/stat
The we will read /proc/PID/maps and leak the libc mapping
We need to make another seek from 0x7ffc00000000 to real stack address
So we will also set a conv=sparse argument to dd and it will perform seek instead of writing \x00 bytes (wow!)
When we have reached the ret of some function, just write a ROP chain and execute system
In order to make dd run infinitely, we will set if=/proc/self/fd/255 (this is a special FD used by Bash)

More detailed description could be found in exploit: vuln2_rce.py

FIX:

Wrap commands' arguments with quotes, for example: openssl "${CipherAlgorithm}" -e -iter 16 -k "${key}" -iv "${iv}"