Now I going to write about evilpython pwn writeup from Myanmar Cyber Security Challenge 2018.
Hint - "Evil exists not only in hell"
Now time to test!
I just connect with my nc( netcat client ) to server that running evilpython.
first I submit "123" to server.
the server response back to me "123"
Now I try to submit some payload "1-2"
the server response back to me "-1", Opps!
why response back "-1".
And try to reconnect to server with nc and don't type anything just press Enter.
I got some error.
I know the backend running python script execute with eval function to our input variable age.
evil_age = eval(age)
I quick look up in google and I found the python payload like that
"[].__class__.__base__.__subclasses__()[59].__init__.func_globals['linecache'].__dict__.values()[12].__dict__.values()[144]('id')"
uid=1000(pyevil)
bingo! we executed "id" command to server, Now I need to find the flag in server.
the evil python script is running under pyevil user privilege, so the flag will be under pyevil home folder ( just I guess ), let search the flag in home folder.
Now I found the flag path, let read the flag.
flag : mcsc{eval_is_s0_ev!l}
Thanks For reading.
This is second challenge that I solved in MCSC2018.
And the first solver team of that challenge, so we got another bonus (1 point ).
I want to say thank you to Ko ******* who created this challenge.
No comments:
Post a Comment