codezen.fr code hacking, zen coding

15Jan/14Off

Hackyou 2014 – Net400 – gsmd.sh Write-up

Welcome to Microsoft Security Assessment Lab.
As far as we are concerned, you are once again applying for an information security job at our vacancy.
Our policy has changed. We're not making our products secure anymore — we're now providing bugs to NSA.
They have run out of their CYCLONE Hx9's GSM station emulators and had to switch to using real base stations for now.

As your test assignment, you are to take over the base station at
77.220.186.142:40000

Debug console: gsmd.sh

This challenge gives us a broken basestation firmware. We need to retrieve the file /home/flag.txt. The broken shell script has a vulnerability like this:

    echo -n "Auth token > "
    read token
    if [ "`gsmd_auth_check $token`" == 'AUTHED' ]; then
      ok=1
    fi

    filename=/home/flag.txt
   
    echo "Attempting to read arbitrary file"
    echo === $filename ===
   
    if [ $ok == 1 ]; then
      cat "$filename"
    fi

The check relies on a global "ok" variable and this variable is not initialized before starting the authentication check. If we can set it to ok=1 somewhere else in the script, we will get the flag.

Somewhere in the script is actually here:

      RND=$(dmesg | tail -100 | egrep -i '[^a-f0-9].[^\s\S]f' | egrep -B4 '\b[A-Z][^A-C][A-Z].\s\w' | rev | grep musk | rev | egrep -A7 $'\x3A\x20\x2E\x2E\x2E\x20' | egrep -w `echo -n GPRS | md5sum | head -c3` | tail -1)