Each year, the SANS and Counter Hack Challenges teams put together my favorite capture the flag (CTF) competition, the SANS Holiday Hack Challenge. The 2020 SANS Holiday Hack Challenge, featuring KringleCon 3: French Hens! was held at Santa’s newly renovated castle at the North Pole from December 10, 2020 to January 11, 2021. This is a walk-through for an objective from the event.
Objective 8) Help Noel Boetie fix the Tag Generator in the Wrapping Room. What value is in the environment variable GREETZ? Talk to Holly Evergreen in the kitchen for help with this.
I started with recon, looking at the source code to see what files were loaded. I found that the page loaded an
I looked at the first endpoint I found,
/save, by navigating to
https://tag-generator.kringlecastle.com/save and got the error message shown below. This revealed to me that the web server seems to be running a file located at
/app/lib/app.rb. Googling that file path led me to believe this is likely a Ruby on Rails application.
Next, I explored some of the functionality of the web site. I was able to upload an image and retrieve that image using the
/image?id= endpoint when I provided the ID of the image. I attempted to upload other file types, including a shell file next but got the below error. This revealed that the uploaded files were being stored in the
/tmp folder on the server.
It seemed like the file that was being uploaded was being saved in the
/tmp folder and possibly retrieved from that folder. If that were true, a directory traversal attack could be possible if the app does not have the proper validation. My goal was to download the
app.rb file to view the source code since I knew that file exists on the system. I attempted this by navigating to
https://tag-generator.kringlecastle.com/image?id=/../app/lib/app.rb but I got a message in the browser saying that the image could not be loaded because it contains errors. In looking into this, I saw that the browser was forcing the content type to be a jpeg image. To get around this, I attempted to use curl at the command line.
This successfully downloaded the
app.rb file. With the ability to download files from the system, I shifted gears to download other files from the system to see if I could get to the current process’s environment variables. In the process of Googling, I learned that the linux has a
/proc file system that lists information about each running process. Each running process has a folder named after the process’s ID (PID) which contains information about that process. It even includes a file named
environ which contains all the environment variables for the running process. However, I didn’t know the PID of the current process.
I looked at the man file for the proc file system and found that there is a folder in
/self which includes the information for the currently running process. I used this folder to pull back the
environ file for the currently running process by running passing
https://tag-generator.kringlecastle.com/image?id=../proc/self/environ to curl. This revealed the value of the
GREETZ environment variable as
Objective 8 Answer: JackFrostWasHere
Interested in learning more about the 2020 SANS Holiday Hack Challenge? Check out my other walk-throughs available here.