Tags: tar misc re shell 

Rating: 5.0

# Star

## Description

```
I made my own file manager... Here you have a DEMO version of it.

nc star.nc.jctf.pro 1337
```

Tags: `RE`, `MISC`

`EASY`

## Provided Files

```
- star.tar.gz
```

Which contained the ELF binary `star`.

## Writeup

> [!NOTE]
> Initially `Hannah` and me (`notcat`) were working on this. After some time `berndoJ` and `Xer0` also joined us.

> [!NOTE]
> Jump to [Solution](#solution) if how we got there does not interest you.

This already started a bit weird for a challenge tagged with `RE`, as the reversing challenges I saw up until this point never had an endpoint associated with them. Additionally, the first things we gathered about this challenge did not bolster our confidence:

The provided binary is stripped c++.

Ignoring the binary for now, once connected to the endpoint we were greeted by:

```
JCTF COMMANDER v0.1
1. create file
2. rename file
3. print file
4. delete file
5. edit file
0. exit
>
```

Where the options all do what one would expect from them.

We did have a look around the binary, including decrypting the strings used in it at a later time (credit to `berndoJ`), but in the end the only relevant information we did not get another way as well was that there are options which are not displayed. This was a hunch coming from the 9 really similar blocks of 3 function calls each in `main` before the interactive loop starts:

```c++
// ...
/* try { // try from 001048ff to 00104903 has its CatchHandler @ 00104a6e */
FUN_0010a300(local_b0);
FUN_0010b2f0(local_68,local_b0);
FUN_0010b2c0(local_b0);
/* try { // try from 00104924 to 00104928 has its CatchHandler @ 00104ada */
FUN_0010a440(local_a8);
FUN_0010b3c0(local_60,local_a8);
FUN_0010b390(local_a8);

// ...
// repeat in similar fashion 6 times
// ...

/* try { // try from 00104a18 to 00104a1c has its CatchHandler @ 00104a86 */
FUN_0010aa80(&local_70);
FUN_0010b7d0(local_28,&local_70);
FUN_0010b7a0(&local_70);
// ...
```

It seems like an array of function pointers gets created, indexed depending on the user input by the function @`00106ec` and then called by this line at the end of the interactive loop:

```c++
(**(code **)*puVar3)(puVar3);
```

Discovering this gave us access to the commands 6, 7, & 8. Of these both 6 & 8 respond with `not implemented yet`, but 7 prompts for `Input archive name:`

Then using `strace` with the local binary we discovered the exact `tar` command being run. With that we had all the information necessary to arrive at our solution:

### Solution

The hidden option `7` executes the command `/bin/tar cf <archive-name> *`. Where `<archive-name>` is a user provided name with rather limited allowed characters.

User-input filenames when creating files are similarly limited, however the destination parameter when renaming is not.

Specifically, all characters required for option `(a)` from the [tar-gtfobins](https://gtfobins.github.io/gtfobins/tar/#shell) are allowed when renaming.

> Credit to `neverbolt` for the hint to `gtfobins`

The precise steps required are then:

1. create 3 files with arbitrary names
2. rename a file to `--checkpoint=1`
3. rename another file to `--checkpoint-action=exec=sh` (using `sh` instead of `/bin/sh` as slashes are not allowed in filenames)
4. select option `7` and provide a not yet existing filename for the archive
5. have shell access inside directory `/tmp/fs`
6. the flag `justCTF{th3_st4r_1s_sh1n1ng}` is in `/flag.txt`

## Conclusion

The `EASY` difficulty is probably warranted, but the ghidra c++ decompilation did lead to
> `thats hella cursed c++`

being written in our team chat. ;)

Original writeup (https://github.com/TeamAustria/writeups/blob/main/2024-justctf/star.md).