Skip to content
GitLab
public
Authored by avatar cleemy desu wayo

a sample of [cdwdoc-2023-001], can we confuse this program?

basic usage:

$ ./cdwdoc-2023-001_challenge.sh user1 aaa
you are a valid user! [ user name : "user1" ]
$ ./cdwdoc-2023-001_challenge.sh user1 aaaa
error: you are not a valid user

settings:

$ ls -l cdwdoc-2023-001_challenge*
-rwx---r-x 1 kali kali 633 Feb  6 02:52 cdwdoc-2023-001_challenge.sh
-rwx---r-x 1 kali kali 533 Feb  6 02:50 cdwdoc-2023-001_challenge2.sh
-rw----r-- 1 kali kali 213 Jan 22 16:49 cdwdoc-2023-001_challenge_passwd.txt

challenge it:

user1's correct password is "aaa".

If this program determines that the authentication is successful, we get the message "you are a valid user!".

So can we confuse this program that the authentication is done successfully as user2 without knowing user2's correct password?

Of course, you should not define shell functions, aliases or environment variables of any kind. No files may be deleted, renamed, modified, or created. The permissions of any file must not be changed. Code that has been modified in content must not be executed.

When executing the attack, the first part of the command to be typed must be exactly the same up to "./cdwdoc-2023-001_challenge.sh user2 ". So that means the first argument is always 5 characters "user2".

I have confirmed that this code behaves as I intended on the following OS:

  • Lubuntu 22.04.1
  • Debian 11.6
  • Knoppix 5.1.1 (KNOPPIX_V5.1.1CD-2007-01-04-EN.iso / md5: 379e2f9712834c8cef3efa6912f30755 / kernel 2.6.19)
  • Knoppix 7.2.0 (KNOPPIX_V7.2.0CD-2013-06-16-EN.iso / md5: 43e1bf11bd52d88d61379fdd38fe869c / kernel 3.9.6)
  • Knoppix 9.1 (KNOPPIX_V9.1CD-2021-01-25-EN.iso / md5: 5f582a85d0d79c5d6c751b8b80ad8401 / kernel 5.10.10)
  • Kali Linux 2022.4 (kali-linux-2022.4-vmware-amd64.7z / kernel 6.0.7)
  • Fedora 37 Workstation
  • Slackware 15.0
  • Tiny Core Linux 13.1 CorePlus Edition (CorePlus-13.1.iso / md5: 871aee85d3ae6715af430fee56e66d57 / kernel 5.15.10)
  • Alpine Linux 3.17.1 Standard Edition (musl libc, not glibc)
  • FreeBSD 13.1-RELEASE
  • OpenBSD 7.2
  • Oracle Solaris 11.4
  • OpenIndiana Hipster 2022.10 (successor of OpenSolaris)
Edited
cdwdoc-2023-001_challenge.sh 633 bytes
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 
#!/bin/sh
# written by cleemy desu wayo / see [cdwdoc-2023-001] / Licensed under CC0 1.0

LANG=C   ; export LANG
LC_ALL=C ; export LC_ALL

username="$1"
password="$2"

valid_password_hash=$(cat cdwdoc-2023-001_challenge_passwd.txt \
      | grep "^${username}:" \
      | head -1 \
      | awk -F':' '{print $2}')

user_is_valid=1

if ./cdwdoc-2023-001_challenge2.sh --user-input="$password" --valid-hash="$valid_password_hash" ; then
  user_is_valid=0
fi

if [ "x$user_is_valid" = "x1" ]; then
  echo 'you are a valid user! [ user name : "'"$username"'" ]' >&2
  exit 0
else
  echo 'error: you are not a valid user' >&2
  exit 1
fi
cdwdoc-2023-001_challenge2.sh 533 bytes
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 
#!/bin/sh
# written by cleemy desu wayo / see [cdwdoc-2023-001] / Licensed under CC0 1.0

LANG=C   ; export LANG
LC_ALL=C ; export LC_ALL

get_hash() {
  if type sha256sum > /dev/null; then
    sha256sum | awk '{print $1}'
  elif type openssl > /dev/null; then
    openssl sha256 | awk '{print $2}'
  fi
}

valid_hash=`      printf '%s\n' "$2" | sed 's/^--valid-hash=//' `
user_input_hash=` printf '%s\n' "$1" | sed 's/^--user-input=//' | tr -d '\n' | get_hash`

if [ "x$user_input_hash" = "x$valid_hash" ]; then
  exit 1
fi

exit 0
cdwdoc-2023-001_challenge_passwd.txt 213 bytes
1 2 3 
user1:9834876dcfb05cb167a5c24953eba58c4ac89b1adf57f28f2f9d09af107ee8f0
user2:28ac62f4e66742848b75319b3d861bc67657abb31cc2077758dcf2669dbf3c47
user3:636c65656d792064657375207761796f636c65656d792064657375207761796f
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment