Rating: 5.0

# UIUCTF 2020
## security_question

Writeup by **ranguli**

Challenge by **Husinocostan**

_Someone just asked a very interesting question online. Can you help them solve their problem?_

The challenge link https://security.chal.uiuc.tf/ brings us to a fake
StackOverflow page with the poster complaining that their friend was able to
access the hidden_poem.txt file in the root directory (/) on the server. They post the following code snippet looking for help:

python
@app.route('/getpoem')
def get_poem():
poemname = request.args.get('name')

if not poemname:
return 'Please send a name query:\n' + str(os.listdir('poems')), 404

poemdir = os.path.join(os.getcwd(), 'poems')
poempath = os.path.join(poemdir, poemname)

if '..' in poemname:
return 'Illegal substring detected.', 403

if not os.path.exists(poempath):

return send_file(poempath)


In this Python code we see a route defined /getpoem assigned to the get_poem() function.


@app.route('/getpoem')

We also see poemname being assigned as query parameter.


poemname = request.args.get('name')


If we try the endpoint https://security.chal.uiuc.tf/getpoem?name we get the following response:




The Python code that causes the trouble here is in the joining of paths.


poemdir = os.path.join(os.getcwd(), 'poems')
poempath = os.path.join(poemdir, poemname)


In the 2nd line we see that the poemdir directory and poemname file are
being joined to created a path. If we evalute this line of code in a REPL, we
get the following:


>>> import os
>>> poemdir = os.path.join(os.getcwd(), 'poems')
>>> poemdir
'/home/user/poems'


We know that poemdir is the poems subdirectory inside the current working directory. Keep in mind that our interest is in the root / directory to get hidden_poem.txt. Another join is performed is the name of the file.


>>> poemname = "poem.txt"
>>> poempath = os.path.join(poemdir, poemname)
>> poempath
'/home/user/poems/poem.txt'


Because of the way that os.path.join() works, if we set poemname to /hidden_poem.txt, we won't get:


/home/user/poems//hidden_poem.txt



/hidden_poem.txt


Which is the path we want. We can try passing this in as the query parameter:

And we get the flag!


uiuctf{str_join_is_weird_in_python_3}


Original writeup (https://github.com/ranguli/writeups/blob/master/uiuctf/2020/security_question.md).