CTFtime.org

Wordle Bash

by Elysiumplain / NGFW7

Rating:

# SSH key Hijacking
> Author: @JohnHammond#6971
> We put a new novel spin on the old classic game of Wordle! Now it's written in bash! :D
> Oh, and you aren't guessing words, this time...

We find a **read_only** [terminal session]() logged in as `user` with `wordle_bash.sh`.
We see the wordle game generates a random integer and rans modulus on the date-parts to generate a random date (fun fact, you can get dates that aren't valid dates - this should be a hint).

The critical component is the boolean check ``` if [[ $(date $guess_date) == $(date -d $TARGET_DATE +%Y-%m-%d) ]] ``` where if you run through the game (even with a valid date) the output shows `date: invalid date ‘2020-01-01’`. Here we can see that the `date` command is both missing a `-d` flag as well as proper formatting `+%Y-%m-%d` to match the `$TARGET_DATE` variable because the `==` is a string comparator in bash.

To get the `$guess_date` variable to pass custom input is the first issue here - but conveniently have been provided an `Input` option:

`echo "Please select the date you meant:" guess_date=$(gum input --placeholder $guess_date)`

We can now check [GTFOBins](https://gtfobins.github.io/gtfobins/date/) for vulnerabilities with the `date` command and see that we can specify `-f` to read the date string from a file.

Looking at the script, if we successfully guess the date the game rewards us with `"Congratulations, you've won! You correctly guessed the date!" 'Your flag is:' $(cat /root/flag.txt)` which shows us the path to our flag.txt file.

Put it all together and we get `-f /root/flag.txt` as our input string...but we get `date: /root/flag.txt: Permission denied`! So we need to read the flag using elevated permissions.

Check the `sudoers` permission with `sudo -l` to list the current user's permissions and we see `User user may run the following commands on wordle-bash...: (root) /home/user/wordle_bash.sh`. We can run the script with `sudo` - let's try.

`date: invalid date ‘[ Sorry, your flag will be displayed once you have code execution as root ]’`

We were able to read files as `root` by executing commands from within an elevated script. Let's abuse this to dump the ssh keys at `/root/.ssh/id_rsa` and `/root/.ssh/id_rsp.pub`.

Spoof our **local** ssh key and `ssh` into the server again using `ssh -i id_rsa` in order to specify we want to use our hijacked ssh key file.

Once connected we can navigate to `/root` to find the `flag.txt` accompanied by **get_flag_random_suffix_#############**

Happy hunting!

### wordle_bash.sh
```#!/bin/bash

YEARS=("2020" "2021" "2022" "2023" "2024" "2025")
MONTHS=("01" "02" "03" "04" "05" "06" "07" "08" "09" "10" "11" "12" )
DAYS=("01" "02" "03" "04" "05" "06" "07" "08" "09" "10" "11" "12" "13" "14" "15" "16" "17" "18" "19" "20" "21" "22" "23" "24" "25" "26" "27" "28" "29" "30" "31")

YEARS_SIZE=${#YEARS[@]}
YEARS_INDEX=$(($RANDOM % $YEARS_SIZE))
YEAR=${YEARS[$YEARS_INDEX]}

MONTHS_SIZE=${#MONTHS[@]}
MONTHS_INDEX=$(($RANDOM % $MONTHS_SIZE))
MONTH=${MONTHS[$MONTHS_INDEX]}

DAYS_SIZE=${#DAYS[@]}
DAYS_INDEX=$(($RANDOM % $DAYS_SIZE))
DAY=${DAYS[$DAYS_INDEX]}

TARGET_DATE="${YEAR}-${MONTH}-${DAY}"

gum style \
--foreground 212 --border-foreground 212 --border double \
--align center --width 50 --margin "1 2" --padding "2 4" \
'WORDLE DATE' 'Uncover the correct date!'

echo "We've selected a random date, and it's up to you to guess it!"

wordle_attempts=1
while [ $wordle_attempts -le 5 ]
do
echo "Attempt $wordle_attempts:"
echo "Please select the year you think we've chosen:"
chosen_year=$(gum choose ${YEARS[@]})

echo "Now, enter the month of your guess: "
chosen_month=$(gum choose ${MONTHS[@]})

echo "Finally, enter the day of your guess: "
chosen_day=$(gum choose ${DAYS[@]})

guess_date="$chosen_year-$chosen_month-$chosen_day"

if ! date -d $guess_date; then
echo "Invalid date! Your guess must be a valid date in the format YYYY-MM-DD."
exit
fi

confirmed=1
while [ $confirmed -ne 0 ]
do
gum confirm "You've entered '$guess_date'. Is that right?"
confirmed=$?
if [[ $confirmed -eq 0 ]]
then
break
fi
echo "Please select the date you meant:"
guess_date=$(gum input --placeholder $guess_date)
done

if [[ $(date $guess_date) == $(date -d $TARGET_DATE +%Y-%m-%d) ]]; then
gum style \
--foreground 212 --border-foreground 212 --border double \
--align center --width 50 --margin "1 2" --padding "2 4" \
"Congratulations, you've won! You correctly guessed the date!" 'Your flag is:' $(cat /root/flag.txt)
exit 0
else
echo "Sorry, that wasn't correct!"
echo "====================================="
fi

wordle_attempts=$((wordle_attempts+1))
done

gum style \
--foreground 212 --border-foreground 212 --border double \
--align center --width 50 --margin "1 2" --padding "2 4" \
"Sorry, you lost." "The correct date was $TARGET_DATE."
```

Comments