PicoCTF - File types

tags: PicoCTF CTF Misc

Challenge: File types

Background

For Shell Script

• Linux MD5
• Linux egrep命令
• Shell test 命令

  -f 文件名: 如果文件存在且为普通文件则为真

• How to modify $PATH
• touch - time stamp
• What is $$ in bash?

For Compress Command

• Linux 備份檔案操作 cpio 指令教學與範例
• bzip2 command in Linux
• Gzip Command in Linux
• Lzip Manual
• lz4 manual
• lzma manual
• lzop(1) - Linux man page

Source code

Flag.pdf

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172

#!/bin/sh # This is a shell archive (produced by GNU sharutils 4.15.2). # To extract the files from this archive, save it to some FILE, remove # everything before the '#!/bin/sh' line above, then type 'sh FILE'. # lock_dir=_sh00046 # Made on 2022-03-15 06:50 UTC by <root@e8647f66bc56>. # Source directory was '/app'. # # Existing files will *not* be overwritten, unless '-c' is specified. # # This shar contains: # length mode name # ------ ---------- ------------------------------------------ # 1092 -rw-r--r-- flag # MD5SUM=${MD5SUM-md5sum} f=`${MD5SUM} --version | egrep '^md5sum .*(core|text)utils'` test -n "${f}" && md5check=true || md5check=false ${md5check} || \ echo 'Note: not verifying md5sums. Consider installing GNU coreutils.' if test "X$1" = "X-c" then keep_file='' else keep_file=true fi echo=echo save_IFS="${IFS}" IFS="${IFS}:" gettext_dir= locale_dir= set_echo=false for dir in $PATH do if test -f $dir/gettext \ && ($dir/gettext --version >/dev/null 2>&1) then case `$dir/gettext --version 2>&1 | sed 1q` in *GNU*) gettext_dir=$dir set_echo=true break ;; esac fi done if ${set_echo} then set_echo=false for dir in $PATH do if test -f $dir/shar \ && ($dir/shar --print-text-domain-dir >/dev/null 2>&1) then locale_dir=`$dir/shar --print-text-domain-dir` set_echo=true break fi done if ${set_echo} then TEXTDOMAINDIR=$locale_dir export TEXTDOMAINDIR TEXTDOMAIN=sharutils export TEXTDOMAIN echo="$gettext_dir/gettext -s" fi fi IFS="$save_IFS" if (echo "testing\c"; echo 1,2,3) | grep c >/dev/null then if (echo -n test; echo 1,2,3) | grep n >/dev/null then shar_n= shar_c=' ' else shar_n=-n shar_c= ; fi else shar_n= shar_c='\c' ; fi f=shar-touch.$$ st1=200112312359.59 st2=123123592001.59 st2tr=123123592001.5 # old SysV 14-char limit st3=1231235901 if touch -am -t ${st1} ${f} >/dev/null 2>&1 && \ test ! -f ${st1} && test -f ${f}; then shar_touch='touch -am -t $1$2$3$4$5$6.$7 "$8"' elif touch -am ${st2} ${f} >/dev/null 2>&1 && \ test ! -f ${st2} && test ! -f ${st2tr} && test -f ${f}; then shar_touch='touch -am $3$4$5$6$1$2.$7 "$8"' elif touch -am ${st3} ${f} >/dev/null 2>&1 && \ test ! -f ${st3} && test -f ${f}; then shar_touch='touch -am $3$4$5$6$2 "$8"' else shar_touch=: echo ${echo} 'WARNING: not restoring timestamps. Consider getting and installing GNU ' Exploit - Google and Uncompress 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 # shell script $ file Flag.pdf Flag.pdf: POSIX shell script, ASCII text executable, with CRLF line terminators $ mv Flag.pdf Flag.sh # debug $ chmod 777 Flag.sh $ ./Flag.sh zsh: ./Flag.sh: bad interpreter: /bin/sh^M: no such file or directory $ sed -i -e 's/\r$//' Flag.sh $ ./Flag.sh x - created lock directory _sh00046. x - extracting flag (text) x - removed lock directory _sh00046. # ar $ ls Flag.pdf Flag.sh flag $ file flag flag: current ar archive $ mv flag flag.ar $ ar -x flag.ar # cpio $ ls Flag.pdf Flag.sh flag flag.ar $ file flag flag: cpio archive $ mv flag flag.cpio $ cpio -iv < flag.cpio flag 2 blocks # bzip2 $ ls Flag.pdf Flag.sh flag flag.ar flag.cpio $ file flag flag: bzip2 compressed data, block size = 900k $ mv flag flag.bz2 $ bzip2 -d flag.bz2 # gzip $ ls Flag.pdf Flag.sh flag flag.ar flag.cpio $ file flag flag: gzip compressed data, was "flag", last modified: Tue Mar 15 06:50:36 2022, from Unix, original size modulo 2^32 329 $ mv flag flag.gz $ gzip -d flag.gz # lzip $ ls Flag.pdf Flag.sh flag flag.ar flag.cpio $ file flag flag: lzip compressed data, version: 1 $ mv flag flag.lz $ lzip -d flag.lz # lz4 $ ls Flag.pdf Flag.sh flag flag.ar flag.cpio $ file flag flag: LZ4 compressed data (v1.4+) $ mv flag flag.lz4 $ lz4 -d flag.lz4 Decoding file flag flag.lz4 : decoded 266 bytes # lzma $ ls Flag.pdf Flag.sh flag flag.ar flag.cpio flag.lz4 $ file flag flag: LZMA compressed data, non-streamed, size 255 $ mv flag flag.lzma $lzma -d flag.lzma # lzop $ ls Flag.pdf Flag.sh flag flag.ar flag.cpio flag.lz4 $ file flag flag: lzop compressed data - version 1.040, LZO1X-1, os: Unix $ mv flag flag.lzo $ lzop -d flag.lzo # lzip $ ls Flag.pdf Flag.sh flag flag.ar flag.cpio flag.lz4 flag.lzo $ file flag flag: lzip compressed data, version: 1 $ mv flag flag.lz $ lzip -d flag.lz # xz $ls Flag.pdf Flag.sh flag flag.ar flag.cpio flag.lz4 flag.lzo $file flag flag: XZ compressed data $mv flag flag.xz ~/CTF/P/M/File_types $ xz -d flag.xz # Completely Uncompressed $ls Flag.pdf Flag.sh flag flag.ar flag.cpio flag.lz4 flag.lzo $file flag flag: ASCII text $cat flag | xxd -r -p picoCTF{f1len@m3_m@n1pul@t10n_f0r_0b2cur17y_3c79c5ba} Reference Bash script – “/bin/bash^M: bad interpreter: No such file or directory” Convert Hex to ASCII 'touch' Exploit - Google and Uncompress 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 # shell script $ file Flag.pdf Flag.pdf: POSIX shell script, ASCII text executable, with CRLF line terminators $ mv Flag.pdf Flag.sh # debug $ chmod 777 Flag.sh $ ./Flag.sh zsh: ./Flag.sh: bad interpreter: /bin/sh^M: no such file or directory $ sed -i -e 's/\r$//' Flag.sh $ ./Flag.sh x - created lock directory _sh00046. x - extracting flag (text) x - removed lock directory _sh00046. # ar $ ls Flag.pdf Flag.sh flag $ file flag flag: current ar archive $ mv flag flag.ar $ ar -x flag.ar # cpio $ ls Flag.pdf Flag.sh flag flag.ar $ file flag flag: cpio archive $ mv flag flag.cpio $ cpio -iv < flag.cpio flag 2 blocks # bzip2 $ ls Flag.pdf Flag.sh flag flag.ar flag.cpio $ file flag flag: bzip2 compressed data, block size = 900k $ mv flag flag.bz2 $ bzip2 -d flag.bz2 # gzip $ ls Flag.pdf Flag.sh flag flag.ar flag.cpio $ file flag flag: gzip compressed data, was "flag", last modified: Tue Mar 15 06:50:36 2022, from Unix, original size modulo 2^32 329 $ mv flag flag.gz $ gzip -d flag.gz # lzip $ ls Flag.pdf Flag.sh flag flag.ar flag.cpio $ file flag flag: lzip compressed data, version: 1 $ mv flag flag.lz $ lzip -d flag.lz # lz4 $ ls Flag.pdf Flag.sh flag flag.ar flag.cpio $ file flag flag: LZ4 compressed data (v1.4+) $ mv flag flag.lz4 $ lz4 -d flag.lz4 Decoding file flag flag.lz4 : decoded 266 bytes # lzma $ ls Flag.pdf Flag.sh flag flag.ar flag.cpio flag.lz4 $ file flag flag: LZMA compressed data, non-streamed, size 255 $ mv flag flag.lzma $lzma -d flag.lzma # lzop $ ls Flag.pdf Flag.sh flag flag.ar flag.cpio flag.lz4 $ file flag flag: lzop compressed data - version 1.040, LZO1X-1, os: Unix $ mv flag flag.lzo $ lzop -d flag.lzo # lzip $ ls Flag.pdf Flag.sh flag flag.ar flag.cpio flag.lz4 flag.lzo $ file flag flag: lzip compressed data, version: 1 $ mv flag flag.lz $ lzip -d flag.lz # xz $ls Flag.pdf Flag.sh flag flag.ar flag.cpio flag.lz4 flag.lzo $file flag flag: XZ compressed data $mv flag flag.xz ~/CTF/P/M/File_types $ xz -d flag.xz # Completely Uncompressed $ls Flag.pdf Flag.sh flag flag.ar flag.cpio flag.lz4 flag.lzo $file flag flag: ASCII text $cat flag | xxd -r -p picoCTF{f1len@m3_m@n1pul@t10n_f0r_0b2cur17y_3c79c5ba} Reference Bash script – “/bin/bash^M: bad interpreter: No such file or directory” Convert Hex to ASCII ', distributed in GNU coreutils...' echo fi rm -f ${st1} ${st2} ${st2tr} ${st3} ${f} # if test ! -d ${lock_dir} ; then : else ${echo} "lock directory ${lock_dir} exists" exit 1 fi if mkdir ${lock_dir} then ${echo} "x - created lock directory ${lock_dir}." else ${echo} "x - failed to create lock directory ${lock_dir}." exit 1 fi # ============= flag ============== if test -n "${keep_file}" && test -f 'flag' then ${echo} "x - SKIPPING flag (file already exists)" else ${echo} "x - extracting flag (text)" sed 's/^X//' << 'SHAR_EOF' | uudecode && begin 600 flag M(3QA<F-H/@IF;&%G+R`@("`@("`@("`@,"`@("`@("`@("`@,"`@("`@,"`@ M("`@-C0T("`@("`Q,#(T("`@("`@8`K'<6D`&[RD@0`````!````,&(\-P4` M``#_`69L86<``$)::#DQ05DF4UG8%@C,```E___[Y[M[G]GO[=^W[_N__^6^ MYJGOD+YKS[D]VU]`>Q]/?;`!&;"0&@:`!H:`T:9-`#3330T:::`!H-'J:``8 MC0:!H,C1HR#1HR,C)ZFFCU-'E'J8T:AR`Q#1B`-`&3330`80:`!B,!,1DT-` M`#$&1ID9#!,@R::&$PAHR#3"JGZ4R,C1HTT#U&(80#1H`9,C1ZF0Q`9``>H` M!D````]3$`,F(`T&AHT!`$`-$2N?R0*H(%R04*<D(7$`\"P"6J(/ORS5EV'E MY1A`\T1>[HJ%R[CD]7UCS7E.#93IHR*#^?R7/$W6*1]HGQ=6EJ_/A$B_2<_G M5]3/.*(B)V8P0AS.5X<KE?9IM4'Q<3&PH+K"FJ)I6/1XOFW@W<,00<]B>2 MPX5/>V_P:DLC2^>A1^[>Y#?DS"9KG7[]/=<ASJ7MJ$$R& PicoCTF - File types tags: PicoCTF CTF Misc Challenge: File types Background For Shell Script Linux MD5 Linux egrep命令 Shell test 命令 -f 文件名: 如果文件存在且为普通文件则为真 How to modify $PATH touch - time stamp What is $$ in bash? For Compress Command Linux 備份檔案操作 cpio 指令教學與範例 bzip2 command in Linux Gzip Command in Linux Lzip Manual lz4 manual lzma manual lzop(1) - Linux man page Source code Flag.pdf 6.9W")P6VS9LD M.F7L4"\Y$H@O$:/N]]<+E+8B9)"'%;)PX-A@F\-3%=ICS(%E2AC+#,!8,< MZ%O`<_HMM@M%6#]!6"7]`2W:!\.3@RYX$/2&/(\:I$<N@*34)6G+(BNGHY5V M0T)XU&!)Q5B-(=%VD-NN'6ZZ(BF`XC3PJ\R/QN6:)#XCNK?X%$*H>1Z(HQ>C M#5HSE`/XJAZ-J?*((R/%CB[DBG"A(;`L$9@`QW$``````````````0`````` M```+``````!44D%)3$52(2$A```````````````````````````````````` M```````````````````````````````````````````````````````````` M```````````````````````````````````````````````````````````` M```````````````````````````````````````````````````````````` M```````````````````````````````````````````````````````````` M```````````````````````````````````````````````````````````` M```````````````````````````````````````````````````````````` M```````````````````````````````````````````````````````````` M```````````````````````````````````````````````````````````` M```````````````````````````````````````````````````````````` ,```````````````` ` end SHAR_EOF (set 20 22 03 15 06 50 36 'flag' eval "${shar_touch}") && \ chmod 0644 'flag' if test $? -ne 0 then ${echo} "restore of flag failed" fi if ${md5check} then ( ${MD5SUM} -c >/dev/null 2>&1 || ${echo} 'flag': 'MD5 check failed' ) << \SHAR_EOF b5cc2c5756410f2467168f6d4c468f52 flag SHAR_EOF else test `LC_ALL=C wc -c < 'flag'` -ne 1092 && \ ${echo} "restoration warning: size of 'flag' is not 1092" fi fi if rm -fr ${lock_dir} then ${echo} "x - removed lock directory ${lock_dir}." else ${echo} "x - failed to remove lock directory ${lock_dir}." exit 1 fi exit 0

Exploit - Google and Uncompress

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107

# shell script $ file Flag.pdf Flag.pdf: POSIX shell script, ASCII text executable, with CRLF line terminators $ mv Flag.pdf Flag.sh # debug $ chmod 777 Flag.sh $ ./Flag.sh zsh: ./Flag.sh: bad interpreter: /bin/sh^M: no such file or directory $ sed -i -e 's/\r$//' Flag.sh $ ./Flag.sh x - created lock directory _sh00046. x - extracting flag (text) x - removed lock directory _sh00046. # ar $ ls Flag.pdf Flag.sh flag $ file flag flag: current ar archive $ mv flag flag.ar $ ar -x flag.ar # cpio $ ls Flag.pdf Flag.sh flag flag.ar $ file flag flag: cpio archive $ mv flag flag.cpio $ cpio -iv < flag.cpio flag 2 blocks # bzip2 $ ls Flag.pdf Flag.sh flag flag.ar flag.cpio $ file flag flag: bzip2 compressed data, block size = 900k $ mv flag flag.bz2 $ bzip2 -d flag.bz2 # gzip $ ls Flag.pdf Flag.sh flag flag.ar flag.cpio $ file flag flag: gzip compressed data, was "flag", last modified: Tue Mar 15 06:50:36 2022, from Unix, original size modulo 2^32 329 $ mv flag flag.gz $ gzip -d flag.gz # lzip $ ls Flag.pdf Flag.sh flag flag.ar flag.cpio $ file flag flag: lzip compressed data, version: 1 $ mv flag flag.lz $ lzip -d flag.lz # lz4 $ ls Flag.pdf Flag.sh flag flag.ar flag.cpio $ file flag flag: LZ4 compressed data (v1.4+) $ mv flag flag.lz4 $ lz4 -d flag.lz4 Decoding file flag flag.lz4 : decoded 266 bytes # lzma $ ls Flag.pdf Flag.sh flag flag.ar flag.cpio flag.lz4 $ file flag flag: LZMA compressed data, non-streamed, size 255 $ mv flag flag.lzma $lzma -d flag.lzma # lzop $ ls Flag.pdf Flag.sh flag flag.ar flag.cpio flag.lz4 $ file flag flag: lzop compressed data - version 1.040, LZO1X-1, os: Unix $ mv flag flag.lzo $ lzop -d flag.lzo # lzip $ ls Flag.pdf Flag.sh flag flag.ar flag.cpio flag.lz4 flag.lzo $ file flag flag: lzip compressed data, version: 1 $ mv flag flag.lz $ lzip -d flag.lz # xz $ls Flag.pdf Flag.sh flag flag.ar flag.cpio flag.lz4 flag.lzo $file flag flag: XZ compressed data $mv flag flag.xz ~/CTF/P/M/File_types $ xz -d flag.xz # Completely Uncompressed $ls Flag.pdf Flag.sh flag flag.ar flag.cpio flag.lz4 flag.lzo $file flag flag: ASCII text $cat flag | xxd -r -p picoCTF{f1len@m3_m@n1pul@t10n_f0r_0b2cur17y_3c79c5ba}

Reference

• Bash script – “/bin/bash^M: bad interpreter: No such file or directory”
• Convert Hex to ASCII