Sebenarnya saya baru solve ini +12 jam setelah CTF berakhir, dengan bantuan rekan tim Auxy dan Kileak. File berada di sini. Kita diberikan 5 file:
|
python3.6: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=9dae0eec9b3f9cb82612d20dc0c3088feab9e356, stripped libc-2.27.so: ELF 64-bit LSB shared object, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=b417c0ba7cc5cf06d1d1bed6652cedb9253c60d0, for GNU/Linux 3.2.0, stripped Collection.cpython-36m-x86_64-linux-gnu.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=241f5274d685b0cd35c64b14f024fb7171ea04b2, stripped server.py: Python script, ASCII text executable test.py: ASCII text |
Mari kita lihat isi dari server dan test:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56
|
import os import tempfile import os import string import random def randstr(): return ''.join(random.choice(string.ascii_uppercase + string.digits + string.ascii_lowercase) for _ in range(10)) flag = open("flag", "r") prefix = """ from sys import modules del modules['os'] import Collection keys = list(__builtins__.__dict__.keys()) for k in keys: if k != 'id' and k != 'hex' and k != 'print' and k != 'range': del __builtins__.__dict__[k] """ size_max = 20000 print("enter your code, enter the string END_OF_PWN on a single line to finish") code = prefix new = "" finished = False while size_max > len(code): new = raw_input("code> ") if new == "END_OF_PWN": finished = True break code += new + "\n" if not finished: print("max length exceeded") sys.exit(42) file_name = "/tmp/%s" % randstr() with open(file_name, "w+") as f: f.write(code.encode()) os.dup2(flag.fileno(), 1023) flag.close() cmd = "python3.6 -u %s" % file_name os.system(cmd) |
|
import Collection a = Collection.Collection({"a":1337, "b":[1.2], "c":{"a":45545}}) print(a.get("a")) print(a.get("b")) print(a.get("c")) |
Ingat bahwa file flag sudah dibuka dan berada pada fd nomor 1023. Pada pertamanya, mungkin ini akan terlihat seperti […]