Contact CTF writeups Notes

[PicoCTF 2018] - misc - Absolutely Relative

This is one of my writeups for PicoCTF 2018

Problem

In a filesystem, everything is relative ¯_(ツ)_/¯. Can you find a way to get a flag from this program ? You can find it in /problems/absolutely-relative_4_bef88c36784b44d2585bb4d2dbe074bd on the shell server.

Hints :

  1. Do you have to run the program in the same directory? (⊙.☉)7
  2. Ever used a text editor? Check out the program 'nano'

Solution

The following source code is provided for this task :

#include <stdio.h>
#include <string.h>

#define yes_len 3
const char *yes = "yes";

int main()
{
    char flag[99];
    char permission[10];
    int i;
    FILE * file;


    file = fopen("/problems/absolutely-relative_0_d4f0f1c47f503378c4bb81981a80a9b6/flag.txt" , "r");
    if (file) {
        while (fscanf(file, "%s", flag)!=EOF)
        fclose(file);
    }   

    file = fopen( "./permission.txt" , "r");
    if (file) {
        for (i = 0; i < 5; i++){
            fscanf(file, "%s", permission);
        }
        permission[5] = '\0';
        fclose(file);
    }

    if (!strncmp(permission, yes, yes_len)) {
        printf("You have the write permissions.\n%s\n", flag);
    } else {
        printf("You do not have sufficient permissions to view the flag.\n");
    }

    return 0;
}

We can see that this is reading two important files :

  1. /problems/absolutely-relative_0_d4f0f1c47f503378c4bb81981a80a9b6/flag.txt: the flag. We don't have permission to read it ourselves, so we have to read it through the program.
  2. ./permission.txt : the file used by the program to determine whether we are allowed to see the flag file's content.

The program is simply checking if the permission.txt file contains the string yes, but the permission.txt file in the task directory contains the string no and we don't have write permission on it.

What we can exploit is the way the paths to these files are specified : the path to the flag file is absolute, but the path to the permission file is relative, meaning the permission.txt file will be read from the current working directory. We can then just navigate to our home directory, create a permission.txt file there that contains yes and run the program from there.

When we do that, we get the flag : picoCTF{3v3r1ng_1$_r3l3t1v3_3b69633f}.