01
May
2012

Plaid CTF 2012 – Editors

We recently gained access to a log of a robot operative interacting with computer. We are unsure what he was up to but we know it is of the upmost importance to figure it out.

Opening the file it contains key logging of a session with user interacting with a number of editors. We first cleaned up this file in readable key combinations:

We received the following from our keylogger.  Please submit to us the number
of times the editor default in sudoers is set, followed by that field's final
value, followed by the number of shells invoked, followed by the state of the
machine.

ssh user@1337box
cronjobscronjobscronjobscronjobs
ksu -l
ub3rstongdeemonsfromtehsewarsZZZ!
cd
screen

<Ctrl+A>S<Ctrl+A>	<Ctrl+A>ctmux
<Ctrl+B>%<Ctrl+A>	tmux
<Ctrl+B>%emacs --daemon
EDITOR="emacsclient -nw"
<Ctrl+A>	teco
EB/etc/sudoers<ESC><ESC>P<ESC><ESC>Seditor<ESC>0TT<ESC><ESC>EX<ESC><ESC><Ctrl+B>o
EDITOR=vim visudo
<ESC>:%s/emacs/vim, /g
<ESC>:wq
<Ctrl+B>&y<Ctrl+A>	<Ctrl+A>Qvisudo
<Ctrl+B>oln -s /sbin/poweroff exec
ed /etc/sudoers
<Ctrl+B>o<ESC>OB<ESC>OB<ESC>OB<ESC>OB<ESC>OB<ESC>OB<ESC>OB<ESC>OB<ESC>OC<ESC>OC<ESC>OC<ESC>OC<ESC>OC<ESC>OC<ESC>OC<ESC>OC<ESC>OC<ESC>OC<ESC>OC<ESC>OC<ESC>OC<ESC>OC<ESC>OC<ESC>OC<ESC>OC<ESC>OC<ESC>OC<ESC>OC<ESC>OC<ESC>OC<ESC>OC<ESC>OC<ESC>OC<ESC>OC<ESC>OC<ESC>OC<ESC>OC<ESC>OC<ESC>OC<ESC>[3~<ESC>[3~<ESC>[3~<ESC>[3~<ESC>[3~<ESC>[3~<ESC>[3~teco<Ctrl+B>o9s/emacs/ed
%l
w /etc/sudoers
q
<Ctrl+B>o<Ctrl+X><Ctrl+S><Ctrl+X><Ctrl+C><Ctrl+B>&y<Ctrl+A>ky./exec

This one was actually hard, because you had to do some assumptions:

  • /etc/sudoers contains the line ‘editors=/usr/bin/emacs’
  • The line should be on line 9 of /etc/sudoers
  • According the manpage the -l option of ksu should contain a value. We assumed the ksu -l is successful, else you wouldn’t be able to edit /etc/sudoers at all.
  • So what this does was:

    ssh user@1337box
    cronjobscronjobscronjobscronjobs         # SSH into 1337box with username user and password cronjobscronjobscronjobscronjobs (SHELL 1)
    ksu -l
    ub3rstongdeemonsfromtehsewarsZZZ!        # Do a ksu -l with password ub3rstongdeemonsfromtehsewarsZZZ!	(SHELL 2)
    cd                                       # change working directory to home dir
    screen                                   # Start screen	(SHELL 3)
    
    <Ctrl+A>S<Ctrl+A><TAB><Ctrl+A>ctmux      # Split screen, tab to second screen, start a shell and start tmux  (SHELL 4)
    <Ctrl+B>%<Ctrl+A><TAB>tmux               # Split tmux screen in left and right, go to first screen and start tmux (SHELL 5)
    <Ctrl+B>%emacs --daemon                  # split tmux screen in left and right, start emacs in daemon mode (SHELL 6)
    EDITOR="emacsclient -nw"                 # Set environment var EDITOR to "emacsclient -nw"
    <Ctrl+A><TAB>teco                        # Go to second screen and start teco (in shell 4)
    EB/etc/sudoers<ESC><ESC>                 # Open /etc/sudoers
    P<ESC><ESC>                              # Read in the first page
    Seditor<ESC>0TT<ESC><ESC>                # Search for the line "editor" and print the line
    EX<ESC><ESC>                             # Save file and exit
    <Ctrl+B>o                                # Switch to other tmux (in shell 3)
    EDITOR=vim visudo                        # Start visudo with as editor vim
    <ESC>:%s/emacs/vim, /g                   # Change all strings with emacs to "vim, "
    <ESC>:wq                                 # Write and Quit (Since visudo does a sanity check, it fails on the changed line
    <Ctrl+B>&y<Ctrl+A><TAB><Ctrl+A>Qvisudo   # Close tmux, swap to first screen, close the second screen and start visudo (in shell 6)
    <Ctrl+B>oln -s /sbin/poweroff exec       # Swap to left tmux (in shell 5) and link /sbin/poweroff to exec
    ed /etc/sudoers                          # Open /etc/sudoers with ed
    <Ctrl+B>o                                # Swap back to emacs session (in shell 6)
    <ESC>OB x 8                              # Go down 8 lines (to line 9 with editor= on it)
    <ESC>OC x 31                             # Go right 31 times (assuming to the end of the string)
    <ESC>[3~ x 7                             # Remove 7 chars (assuming we end up with editor=/usr/bin/)
    teco                                     # Type in teco
    <Ctrl+B>o9s/emacs/ed                     # Switch to the ed session, change on line 9 string emacs with ed
    %l                                       # display all lines
    w /etc/sudoers                           # Write file (FIRST EDIT)
    q                                        # Quit
    <Ctrl+B>o                                # Change back to emacs session in right tmux (shell 6)
    <Ctrl+X><Ctrl+S>                         # Save file (SECOND AND LAST EDIT)
    <Ctrl+X><Ctrl+C>                         # Exit Emacs
    <Ctrl+B>&y                               # Close tmux
    <Ctrl+A>ky                               # Close screen
    ./exec                                   # Execute ./exec (which is linked to poweroff), so we shutdown the system (STATE OFF)
    

    Combining all this together we end up with the following information:

    • Number of times editor default is set: 2
    • Field’s final value: /usr/bin/teco
    • Number of shells invoked: 6
    • State of the machine: off

    Which give us the key: 2/usr/bin/teco6off

{2 Responses to “Plaid CTF 2012 – Editors”}

  1. This challenge was so annoying. Spent hours trying to figure this out.

    1. the ksu -l issue you mention (queried, and got “not all implementations are the same”, so did as you did, assumed it worked).

    2. The /etc/sudoers file contained spaces, not tabs (Tried in vanilla debian, backtrack, centos and ubuntu server – all contained tabs [or at least they were being treated as tabs with vanilla installs of emacs]). and 31 chars would bring you to the end of the line. In all cases with me it brought me to the end of the line, the next 7 char presses would turn

    /usr/bin/emacs into /usr/bin/emacsost parameters…( or something along those lines, basically the rest of the comment from line that was originally 2 lines down).

    which would fail the sanity check (no edit).

    3. The server was in runlevel 3, in runlevel 6 /sbin/poweroff only reboots the machine when called without any arguments.

    So in my case, ed was the only editor that successfully saved an edit.

    4. Not sure why but in my cases ps -ef | grep bash | grep -v grep | wc -l would show the shells increase by 1 when ctrl+A, ctrl+c was pressed in screen.

    Meaning that by the end I had 7 shells not 6.

    Grrrr, so annoying to be following the right premise but fail on a technicality because the result wasn’t deterministic.

    Nice write up though and good to see just where I was going wrong.

    scriptmonkey
  2. Grrr.. so many hours of frustration. We only got it by fuzzing a few of the values we figured we might be off on. Had the same issue as mentioned above. Also, I agree with script monkey. Screen CTL-A c /does/ open up another shell on any box I’ve tried it on. In fact, from the man page:

    C-a C-c (screen) Create a new window with a shell and switch to that window.

    I heard supposedly that they weren’t counting the initial ssh or ksu commands as starting shells, but the screen ones as having done so? No idea, either way, a far more obnoxious challenge than it should have been.

    We ended up scripting an expect session to shove the raw bytes directly into a shell (turns out there’s a nifty python binding that made it easy) and even watching it that way we had a lot of trouble due to the already mentioned assumptions and bugs.

    Psifertex