Guessy challenge writeup wtftime CTF
We participated in wtftime ctf which was jeopardy style. Guessy was one of the challenges in misc category. I learnt a very subtle but nice trick from this challenge. So, this writeup lets jump into it.
CTF URL: http://wtftime.org
CTF time URL: https://ctftime.org/event/949
In the problem statement nothing much detail was there just an IP and port to connect using nc a.k.a netcat was given. So, I quickly connected to see what it outputs.
So, we got connected and it dumped a python file, which was getting executed whenever we are connecting to this IP and port. As, I started understanding the code, some useful observations are were that it is a python2 code as we can spot in the first line. Secondly it was printing the file which was getting executed. then comes the try block where our flag is stored onto to a file in path “/opt/flag.txt” and is loaded into a variable called flag. Now, user input is taken via input() function and compared with the loaded file variable. If you guess the correct flag, it will print “Correct !” and exit.
So, brute force or guessing the correct flag cannot be the obvious approach here. Initially buffer overflow idea was coming to my mind but it didn’t worked here. I played with this script locally as we have the whole code with us and something just stuck my mind. I gave the string “flag” in the input and it printed Correct!
This, was weird right, as flag is not the correct answer obviously. So, some google searches and I stumbled upon what was happening here.
The bug
The only interesting thing in the challenge code was the input() function being used to accept the input from the user. I came to know that in python2 input function does not perform type juggling and accepts the input as it is.So, we can give its strings, numbers and even variable names also. Interesting right !! whereas raw_input() does perform type juggling and converts your input to str type.
Here, we gave the variable name in the input and it went inside the if loop as it compared it with the string “secret_code” . So, now we know we can pass whatever value to this variable and it will be processed inside. Than upon more stumbling I came to know about python built-in functions. This are some functions inside python which you can use to perform various operations. So, I printed all of them and one was of our use :)
Using __import__ we can load modules inside our python code. From here it’s pretty straight forward challenge. Now we can import os module and spawn a shell on the target and get the flag.
Final payload to input: __import__(“os”).system(“sh”)
So, it was a small challenge but it made me learn the very subtle difference between raw_input() and input(). Hope you also learnt something new. Overall the CTF was very good.
Our team dark_phoenix ended on 14th position and first team from country India on the scoreboard xD
Until next time, have a good one :) Happy Hacking !!!!
