VimJail
VimJail 1.0
Description
Connect with socat file:$(tty),raw,echo=0 tcp:vimjail1.chal.uiuc.tf:1337 | 50 Points | Author: richard
Dockerfile entry.sh nsjail.cfg vimrc
Analysis
Entry file removed read access from flag and runs vim with following options: * -R: Opens Vim in read-only mode, preventing accidental modifications to files. * -M: Starts Vim in "modifiable" mode, allowing editing of text. * -Z: Restores the terminal's original screen contents upon exiting Vim. * -u /home/user/vimrc: Specifies a custom vimrc file (/home/user/vimrc) to use for Vim's configuration.
#!/usr/bin/env sh
chmod -r /flag.txt
vim -R -M -Z -u /home/user/vimrcvimrc
# This command disables Vim's compatibility mode, ensuring that Vim uses its own enhanced features and behavior rather than emulating older versions of Vi.
set nocompatible
# This command sets Vim to always start in insert mode, allowing you to immediately start inserting text when opening a file.
set insertmode
# These commands define insert mode mappings for the specified key combinations:
inoremap <c-o> nope
inoremap <c-l> nope
inoremap <c-z> nope
inoremap <c-\><c-n> nopeSolution
Escape Insert mode:
Ctrl+\->Ctrl+n->Ctrl+VExecuting this payload was troublesome, With some delays between keys I was able to enter Visual Mode
Edit flag.txt -> Press
:-> Type:edit flag.txtProfit
Flag: uiuctf{n0_3sc4p3_f0r_y0u_8613a322d0eb0628}
VimJail2
Connect with socat file:$(tty),raw,echo=0 tcp:vimjail2.chal.uiuc.tf:1337 | 50 Points | Author: richard
Dockerfile entry.sh nsjail.cfg vimrc viminfo
Analysis
Same vimfile, but now it converts almost any character in command line mode to _ with the exception of q.
#!/usr/bin/env sh
vim -R -M -Z -u /home/user/vimrc -i /home/user/viminfo
cat /flag.txtSolution
Same trick as previous.
Escape Insert mode:
Ctrl+\->Ctrl+n->Ctrl+VExecuting this payload was troublesome, With some delays between keys I was able to enter Visual Mode
Type
:qto quitHit enter (If flag not printed)
Profit
Flag: uiuctf{_c364201e0d86171b}
Last updated