CTFtime.org / TAMUctf 19 / copper / Writeup

Exploit:
```
import telnetlib
import string
import base64

HOST, PORT = ('172.30.0.2', 6023)

# from mitm
m = {
'\n': 'S+79/0xJH6oVAqvGSE+Vlw==',
' ': '83jbJmmZc/RUXML8GcGuVg==',
'"': 'WSThaqht6loKlvNDraoarw==',
'-': 'h8zZvECdaFr730Mgo5EgYQ==',
'/': 'pxsE18FW3UofpVPzG1RchA==',
'.': 'gCe+M22NmuwF6cPVKGGoZQ==',
'=': 'Tkb8E728rfsc+V1i5HtOzQ==',
'>': 'bIyEa1uO0qUPR+sBqjAJ8g==',
'a': 'RdGNIA97r2yYuQsdXjbQGA==',
'c': 'XpjdNQ+r0XfWy25TW5lyAg==',
'd': 'vCffRJyLzPpoDVYNvxEtoA==',
'e': '9+fXRGjlf3TvpwR6XiqcSw==',
'f': 'qgZnSf9/KcpMFM90/ZaklQ==',
'g': 'lwA3zobBmueRmJyafjFH9A==',
'h': '4iLXaYY1As8N9+wW+PVQOg==',
'i': 'L2/wiXcz7QQyFdbuDe14+w==',
'l': 'YiqMxpZQz+5dPf+qELowBw==',
'm': '0bGyNN1VKjWCxituvKDVvg==',
'n': 'KLVDOWDtxnck6THwQuPfGg==',
'o': '/Ks7iNV5tZaZT32Epav0CA==',
'p': 'lwzGU75ZfX1C+vFQE1ahTQ==',
'r': 'MC9KVKLGfFmxvdr6qNuZpA==',
's': 'US5MJOeTx6L69iQT3Y8B9g==',
't': 'MufXoG4oKY+tLj7TNMzMtQ==',
'u': 'mJoY/dqOlVLjsIzq/ZmGbg==',
'x': 'wJNrzltAAb7rg/64niXZNg=='
}

def run_cmd(cmd, t):
msg = ''.join([m[c] for c in cmd])
t.write(msg + m['\n'])
return t.read_until('==', timeout=2)

def run_cmd_plain(cmd, m_i):
t = telnetlib.Telnet(HOST, PORT)
r = base64.b64decode(run_cmd('{}|perl -e \'while(read STDIN,$c,1){{print $c."\\x00"x15}};\''.format(cmd), t))
t.close()
return ''.join(m_i[base64.b64encode(r[i:i+16])] for i in range(0, len(r)-16, 16)).strip()

def exploit():
t = telnetlib.Telnet(HOST, PORT)
print '[~] Getting encrypt("1")... '
run_cmd('echo a > /tmp/a', t)
run_cmd('grep -c a /tmp/a > /tmp/c', t)
m['1'] = run_cmd('perl -pe "chomp" /tmp/c', t)
print '[+] 1 = {}'.format(m['1'])

print '[~] Getting digits...'
for i in range(2, 12):
d = 11 - i
r = run_cmd('perl -e "print 11{}"'.format('-1' * i), t)
m[str(d)] = r
print '[+] {} = {}'.format(d, r)

print '[~] Getting other characters...'
for c in string.printable:
if c not in m:
r = run_cmd('perl -e "print chr {}"'.format(ord(c)), t)
print '[+] {} = {}'.format(repr(c), r)
m[c] = r
t.close()

m_i = {v: k for k, v in m.iteritems()}
print '[~] Getting the flag...'
print run_cmd_plain('cat flag.txt', m_i)
print run_cmd_plain('ls -la', m_i)

if __name__ == '__main__':
exploit()
```

Output:
```
[~] Getting encrypt("1")...
[+] 1 = 4KSMY2LtzmO0J+Re2zm5SA==
[~] Getting digits...
[+] 9 = s7dNRQ+EpHGRxLqHeed3cg==
[+] 8 = Rb9nFm2lmnm5yYWRAPH8hw==
[+] 7 = wfaWXQDyLsMQv2BRmCeKyg==
[+] 6 = dG00AWVEFzHzlIrD6CpIJg==
[+] 5 = hkkc57hdpF5mIeGst8ukng==
[+] 4 = T1+xUPbu7ZUutGjQKP5LiA==
[+] 3 = f1mxrFPM9PVF75buJmOboQ==
[+] 2 = 8RzE+OIkCUFK64ugcHhXQA==
[+] 1 = 4KSMY2LtzmO0J+Re2zm5SA==
[+] 0 = Rb3L4ahgBxYF/IdBTL57hA==
[~] Getting other characters...
[+] 'b' = dc0vX2aBZQHH8URkiN+lcQ==
[+] 'j' = L2iwHcF332GWou0pJVfIbg==
[+] 'k' = 49FY3o78unpWLaj9y2GtEg==
[+] 'q' = L+lLf8ReQIErL/OGb/pxhw==
[+] 'v' = REzMDVL9Qa7dtRmvNXDU6w==
[+] 'w' = MM2WabRHHhYG+sr1IvYSpg==
[+] 'y' = eyhlkLCf5mAT1hJg+iMjJw==
[+] 'z' = 5GjGDVcJLJ4BLvy2z+BbLg==
[+] 'A' = 8pIaa6AaYPZeWFAbcLwvAA==
[+] 'B' = lOXhZwURpmIOBcQtyjaXJg==
[+] 'C' = QBZdUyNlrJaVTjWTLHbu3g==
[+] 'D' = BCY7FFyV8e6AIyUOVmiyDw==
[+] 'E' = DmVuubGXKwK+YCF5gEX3bA==
[+] 'F' = uh9PwVCyk/6tjwrrxr2nsA==
[+] 'G' = BT98JpiF3fve7qQeCmSG1A==
[+] 'H' = zn4CMVCZL9j9arUfbmpsZg==
[+] 'I' = D99IL/ZUwhB5UacecPC4Pw==
[+] 'J' = lBYfZNTdoq89YIyWw+Nb5g==
[+] 'K' = ps6bCsvHCaGiGmYQDtmTUg==
[+] 'L' = mEkRagy/i8TlUuW38W2VIA==
[+] 'M' = ylxmi4p2rAviPqCI9AIqNw==
[+] 'N' = AkpTiblNlzTyuzTPJUZjGQ==
[+] 'O' = ZmLb29AKOkLgDWd8UKLKMA==
[+] 'P' = OYQb2vVL+SYZN5U7mBBTkA==
[+] 'Q' = j4CnO95WqSiBuOQCPyhiNA==
[+] 'R' = pXMMU9yW8HKvzohauOrohw==
[+] 'S' = Qybchhq8Tz0y98JASDJS6w==
[+] 'T' = CAV2mMZGzZD1yczdLPndjw==
[+] 'U' = AESmsdINGYfsW9iZCbVgNw==
[+] 'V' = d5pr2E3yKbqvLUj3OOCQ1g==
[+] 'W' = V65kFY86T+s49CBbgX3MUQ==
[+] 'X' = QGsTdZyL7/ZvIykQzh4jdg==
[+] 'Y' = gTnW1iJ99N9vfLud1z+4uQ==
[+] 'Z' = q9upGB/2R+vq8MVe84YhyA==
[+] '!' = Hl/dDyh8U6y/k7KZVQc5Ig==
[+] '#' = eFjAUSKWQ6C0WxNY5L0l/w==
[+] '$' = 9vdWA+lydZtXCnlv3ij6zQ==
[+] '%' = cWwDLkLn9pL7U6XjB1j3vg==
[+] '&' = V6vHG7jiofhgOwpTQoMYdA==
[+] "'" = /nwRl3gUFmvkck1HS2hN8A==
[+] '(' = RCxXpJCkd2VkzWUu4ewq6g==
[+] ')' = o/hGtid/Vj9SQPY+G5HVng==
[+] '*' = VSOaYJi9juSyO9UR6swMlg==
[+] '+' = lQGswRRVKMm0BbIGp+F3Sw==
[+] ',' = nfUh6n2OyFF9KWsGNvBOUg==
[+] ':' = XGPWVfZbbLSA/8dSEHhn5Q==
[+] ';' = QdV4wDKOO9YFcByyx9Yd7g==
[+] '<' = CmO82n0RV4/IlrLulEhmPQ==
[+] '?' = vnw+/knXR3FwBm8iQoUxaA==
[+] '@' = vpD+TS8VLDwre7Y7iVZiUw==
[+] '[' = KXMFOdiz4DKzV/zN3vBP2A==
[+] '\\' = T8H0e39d6+vs27mL65eFmA==
[+] ']' = P2rFTE+9GvCAFvvWFOKa+Q==
[+] '^' = qdfwSmT84o65trDjxRI4jg==
[+] '_' = upmrZVTDYlF3ND4qq5nRGA==
[+] '`' = DPga7jWvh/kGcs7sAtVWyA==
[+] '{' = dXrs8ji7V1tUaIqQGd1Yeg==
[+] '|' = IsqHLoqtGCm/Mh7w7Ro1rQ==
[+] '}' = CMnbhPqLgz38brWXSdY1Tg==
[+] '~' = KrWM6j9cPxWHfuSUrySEEw==
[+] '\t' = H4tp3XyUo/pHann4grhBZA==
[+] '\r' = I2eLOs8Eni8qUiLpSW1NlA==
[+] '\x0b' = NHUKr83+GtTUyNapiW2XTg==
[+] '\x0c' = 4+Ehq1D3tR6Jn8kb570Wig==
[~] Getting the flag...
gigem{43s_3cb_b4d_a5c452ed22aa5f1a}
total 12
drwxr-xr-x 1 root root 25 Mar 5 21:21 .
drwxr-xr-x 1 root root 41 Mar 5 21:21 ..
-rw-rw-r-- 1 root root 36 Feb 22 13:00 flag.txt
-rw-r--r-- 1 root root 1067 Mar 5 21:21 monitor.txt
-rw-rw-r-- 1 root root 2111 Feb 26 15:35 server.py
```

copper

Comments

Sign in with