SANS Holiday Hack Challenge 2020: Objective 8 — Broken Tag Generator

Each year, the SANS and Counter Hack Challenges teams put together my favorite capture the flag (CTF) competition, the SANS Holiday Hack Challenge. The 2020 SANS Holiday Hack Challenge, featuring KringleCon 3: French Hens! was held at Santa’s newly renovated castle at the North Pole from December 10, 2020 to January 11, 2021. This is a walk-through for an objective from the event.

Objective 8) Help Noel Boetie fix the Tag Generator in the Wrapping Room. What value is in the environment variable GREETZ? Talk to Holly Evergreen in the kitchen for help with this.

I started with recon, looking at the source code to see what files were loaded. I found that the page loaded an app.js file which seemed to contain the JavaScript powering the app. In that file, I found four application endpoints, including /save, /share?id=, /upload, and /image?id=.

I looked at the first endpoint I found, /save, by navigating to https://tag-generator.kringlecastle.com/save and got the error message shown below. This revealed to me that the web server seems to be running a file located at /app/lib/app.rb. Googling that file path led me to believe this is likely a Ruby on Rails application.

Next, I explored some of the functionality of the web site. I was able to upload an image and retrieve that image using the /image?id= endpoint when I provided the ID of the image. I attempted to upload other file types, including a shell file next but got the below error. This revealed that the uploaded files were being stored in the /tmp folder on the server.

It seemed like the file that was being uploaded was being saved in the /tmp folder and possibly retrieved from that folder. If that were true, a directory traversal attack could be possible if the app does not have the proper validation. My goal was to download the app.rb file to view the source code since I knew that file exists on the system. I attempted this by navigating to https://tag-generator.kringlecastle.com/image?id=/../app/lib/app.rb but I got a message in the browser saying that the image could not be loaded because it contains errors. In looking into this, I saw that the browser was forcing the content type to be a jpeg image. To get around this, I attempted to use curl at the command line.

This successfully downloaded the app.rb file. With the ability to download files from the system, I shifted gears to download other files from the system to see if I could get to the current process’s environment variables. In the process of Googling, I learned that the linux has a /proc file system that lists information about each running process. Each running process has a folder named after the process’s ID (PID) which contains information about that process. It even includes a file named environ which contains all the environment variables for the running process. However, I didn’t know the PID of the current process.

I looked at the man file for the proc file system and found that there is a folder in /proc named /self which includes the information for the currently running process. I used this folder to pull back the environ file for the currently running process by running passing https://tag-generator.kringlecastle.com/image?id=../proc/self/environ to curl. This revealed the value of the GREETZ environment variable as JackFrostWasHere.

Objective 8 Answer: JackFrostWasHere

Interested in learning more about the 2020 SANS Holiday Hack Challenge? Check out my other walk-throughs available here.

Writing on security, programming, and life in general.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store