| tags:GitS2014 GitS WriteUp
GitS 2014: Radioactive (Crypto 250)
This challenge must have either been a joke or unintenionally broken, I solved it in like 2 minutes and it was worth 250 points. Unfortunately I was in a plane over the north sea and not able to submit the flag in time :(
Basically the challenge consists of a server who takes a command in the format : where command is a base64-encoded python code which is executed if the tag (which is basically a signature) is set correct. The tag is computed using a secret stored in a file called “secret”.
We got 4 test-commands (lc, echo, ls and stat) with a valid signature to analyze and maybe find a way for a hash-length-extension or whatever attack. We don’t need this because the signature-checking was broken.
This code validates the signature:
match = True
for i, j in zip(tag, t):
if i != j:
match = False
del key
del cipher
if match:
print 'Made it' + eval(compile(command, "script", "exec"))
else:
self.request.send("Checks failed!\n")
tag is the given tag, t is the calculated tag.
Python’s zip()
-function takes two iterables and connects them, but only if both iterables have items. If we provide an empty tag we simply never hit the if
and match
has no chance to be set to False
.
The exploit is:
echo :`echo "self.request.send(open('key').read())" | base64` | nc radioactive.2014.ghostintheshellcode.com 4324
Flag: Welcom3ToTheNewAgeItsARevolutionISuppose
by ccmndhd