search

madebydavid / wizzie-ctf

small simple security challenges
0 stars 0 forks source link

Lesson 13 - failure to launch browser on debian 9.13 #1

Open madebydavid opened 3 years ago

madebydavid commented 3 years ago 
w2c3@w2c3:~/Desktop/wizzie-ctf/lesson-13$ ./get-flag.py 
Starting bank server on port 8098
Running Firefox as root in a regular user's session is not supported.  ($HOME is /home/w2c3 which is owned by w2c3.)
Running Firefox as root in a regular user's session is not supported.  ($HOME is /home/w2c3 which is owned by w2c3.)
Running Firefox as root in a regular user's session is not supported.  ($HOME is /home/w2c3 which is owned by w2c3.)
Running Firefox as root in a regular user's session is not supported.  ($HOME is /home/w2c3 which is owned by w2c3.)
/usr/bin/xdg-open: 778: /usr/bin/xdg-open: iceweasel: not found
/usr/bin/xdg-open: 778: /usr/bin/xdg-open: seamonkey: not found
/usr/bin/xdg-open: 778: /usr/bin/xdg-open: mozilla: not found
/usr/bin/xdg-open: 778: /usr/bin/xdg-open: epiphany: not found
/usr/bin/xdg-open: 778: /usr/bin/xdg-open: konqueror: not found
/usr/bin/xdg-open: 778: /usr/bin/xdg-open: chromium-browser: not found
/usr/bin/xdg-open: 778: /usr/bin/xdg-open: google-chrome: not found
/usr/bin/xdg-open: 778: /usr/bin/xdg-open: www-browser: not found
/usr/bin/xdg-open: 778: /usr/bin/xdg-open: links2: not found
/usr/bin/xdg-open: 778: /usr/bin/xdg-open: elinks: not found
/usr/bin/xdg-open: 778: /usr/bin/xdg-open: links: not found
/usr/bin/xdg-open: 778: /usr/bin/xdg-open: lynx: not found
/usr/bin/xdg-open: 778: /usr/bin/xdg-open: w3m: not found
xdg-open: no method available for opening 'http://localhost:8098/index.html'
madebydavid commented 3 years ago

This can be prevented with a setuid

# Open the web browser
def open_browser():
    time.sleep(3)
    os.setuid(1000)
    webbrowser.open_new('http://localhost:%d/index.html' % port)
threading.Thread(target=open_browser).start()

However, we need to determine which uid to use

madebydavid commented 3 years ago

Also, this fix results in a "Permission denied" when you enter the correct password as the uid the process has switched to does not have permissions to open the flag.txt file.

madebydavid commented 3 years ago

patch:

rom dae8b1aa69fb1330ac49ac9341eba2f3dab97b50 Mon Sep 17 00:00:00 2001
From: Wizzie Wizzie Computer Coding Club <sutherland.dave@gmail.com>
Date: Sat, 31 Oct 2020 15:29:18 +0000
Subject: [PATCH] Resolves #1

---
 lesson-13/get-flag.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/lesson-13/get-flag.py b/lesson-13/get-flag.py
index fa5cb1a..13d73bf 100755
--- a/lesson-13/get-flag.py
+++ b/lesson-13/get-flag.py
@@ -21,6 +21,9 @@ next(csv_data) # skip the first row
 for row in csv_data:
     user_passwords[row[0]] = row[1]

+# Read the flag file contents into a variable
+flag_file = open('../flag.txt')
+flag = flag_file.read()

 class BankHTTP(http.server.SimpleHTTPRequestHandler):
     def do_POST(self):
@@ -43,8 +46,6 @@ class BankHTTP(http.server.SimpleHTTPRequestHandler):
                 raise Exception('Invalid password')

             # Return the flag
-            flag_file = open('../flag.txt')
-            flag = flag_file.read()
             self.send_response(200)
             self.send_header('Content-type', 'text/plain')
             self.end_headers()
@@ -68,5 +69,6 @@ threading.Thread(target=bank_server.serve_forever).start()
 # Open the web browser
 def open_browser():
     time.sleep(3)
+    os.setuid(os.getuid()) # to avoid running browser as root
     webbrowser.open_new('http://localhost:%d/index.html' % port)
 threading.Thread(target=open_browser).start()
-- 
2.11.0