backdoor CTF evil

backdoor CTF evil


hi today we going to solve CTF challenge   let us quick read  it



cool it's service on port 9007 now  time to read source code 

  

now we going to explain how code flow work flag define as variable and also super_secret_code that it's part one now going to part 2 it's condition flow first guess it take inputs using python input and compare it with super_secret_code if condition true it will print flag .
ok that flow now time to identify weakness ,input in last python version it act like  eval(raw_input) as we know eval it    function evaluates a string of text which is passed as its parameter, accepting possible second argument for the global values to use during evaluation.
through this we can read super_secret_code by type it in prompt it will read variable and save it in guess and use it in if statement .

quick example


you see we enter secret again now let us print g to see what inside it 


nice we have secret key now let go  do that in real connect to host using netcat 
and type super_secret_code






for more info about input read python input vulnerability 

thanks for reading 


Comments

Post a Comment

Popular posts from this blog

SECURECODE: 1 : OSWE Prep

Image
 SECURECODE: 1 : OSWE Prep SECURECODE: 1  it's OSWE Like machine which need to do some code reviwing and detect  vulnerabilities and chained together to gain final target which remote code execution (RCE).  VM:  SecureCode: 1 ~ VulnHub information about VM:  SecureCode1: an OSWE-like Machine | by Ahmed ElTijani | SUDOROOT | Medium   First we do some code review to detect vulnerabilities in source code  applications  http://192.168.122.112/source_code.zip. we go page under construction next we going to review directory structure. open http://192.168.122.112/login/index.php will redirect to login page. next will explore sql database dump which includes database structure and tables names which will help us to build queries to dump credentials from database. next will  import these sql databases backup in mysql  in order to  explore sql statment for this will use online solution  MySQL online - Test SQL queries (ext...
Read more

hacky holidays h1 CTF

Image
hacky holidays  h1 CTF this year Hackerone hosted CTF it's amazing CTF i will   write write up for  interesting challenges  Swag Shop Get your Grinch Merch! Try and find a way to pull the Grinch's personal details from the online shop this challenge it's 100% real life which in order to get flag we must enumeration grinch profile. first we must enumeration target page and do some spider pages by using burpsuite spider     after spider target you notice api   endpoints that use in application we must FUZZ endpoint to find hidden endpoints using burpsuite intruder or any tools you  like.   you notice user  endpoint status code and response message  and sessions endpoint which response with  JWT Tokens  which will going to decode it and find information using  jwt io .  after decode jwt tokens we find one has user name value          now back to user endpoint which we nee...
Read more

python input vulnerability

Image
python input vulnerability hi guys today i will show you how little mistake in write code can lead to expose data or RCE on sever . as we know python has function that take input from user can save it in variable . in python 2.x version we find input function   and it built-in function input in module __builtin__  let check what mean this method by using help(input) it 's  equivalent to eval(raw_input) ok raw_input it's another function take input from user but in input function it's add eval as we know eval it  function evaluates a string of text which is passed as its parameter, accepting possible second argument for the global values to use during evaluation. let make quick demo  and if we enter number it will display it but what if we enter 2+4 it will display 6 because it's use eval as part of input function as we see above from here we can use  __builtin__  module to get  som...
Read more