Tenable CTF - Notes Challenge Walkthrough

This was a web challenge in the Tenable CTF 2022.

In the challenge description, we are given an IP address and login credentials for a user.

After logging in with the credentials provided in the challenge description, we are redirected to /notes.php, which has a textbox and a render button. My first thoughts on this challenge were that there might be either a cross-site scripting vulnerability (probably a blind one), or some generic vulnerabilities, which might occur due to the rendering process (maybe an LFI, or LaTeX injection).

We then try to render some text, and the application returns a PDF file as shown below:


We think that the metadata in the PDF file might be useful for gathering information on the challenge. Therefore, we run exiftool to against the PDF file:


Now we know that there is a pdfTeX running in the application, which makes us think that what happens if we try to inject a LaTeX command. But before going further, I intercepted the request using Burp Suite and sent it to repeater in order to ease the process and not miss the details:


Afterwards, we try to inject a simple LaTeX command, such as \textit{test}. It looks like the application doesn’t have any trouble with that. We see that test is now written in italic, as the command we injected would normally do. So we don’t have any problem with compiling arbitrary LaTeX files on the server. Let’s try something more powerful.

Reading Files with LaTeX

Since we were able to compile and run our LaTeX files in the challenge server, I wondered if I could read files using the LaTeX command \input{filename}, which is ordinarily used for inserting a LaTeX file into another. I tried to read /etc/passwd, and I was successful!

Now we need to find some clues that will lead us to the flag. This gets us back to the challenge description:

challenge description

According to the description, we need to find some credentials that will provide access to some S3 bucket. Since S3 buckets are containers for objects stored in Amazon S3, we are looking for some AWS credentials, which are stored in .aws/credentials in a Linux system.

After executing \input{.aws/credentials}, we get the file which includes the AWS credentials. Now we can look around the bucket using AWS CLI as shown below:

aws credentials

aws configure
aws s3 ls
aws s3 ls s3://professorsnotes //returns the files in the current directory. we see that there is a file called "certificate.pdf"
aws s3 cp s3://professorsnotes/certificate.pdf . //copies the files from the bucket to our machine