Obligatory Calc
Last updated
Last updated
Easy
147
10
In every CTF that I've seen There's always a calculator routine It tests our skills and our wit To solve it, we must not quit Poem by ChatGPT
The web application receives user input from a POST request, then uses the compile
function to generate a code object from the string that represent the arithmetic operation.
The code object is then executed using the exec
function, and the result is stored in a dictionary called msg
.
The web application is using the compile
and exec
functions to dynamically generate and execute code based on user input, which could be exploited by an attacker to inject malicious code and execute it.
Using burpsuite, I intercepted the request and send it to repeater using Ctrl + R
Next, I modify the int1=1&operator=%2B&int2=1
to a payload to perform blind code execution
The web application will sleep for 5 second before returning 0
suggesting that the blind code execution works
Modify the payload to a standard python reverse shell
We have successfully shelled the server and gotten the flag.