In this write up, some hints related to this challenge only will be mentioned.
여기서는 챌린지와과 관련된 몇 가지 힌트만이 언급됩니다.
Level17
About
There is a python script listening on port 10007 that contains a vulnerability.
관련 사항.
10007 포트에서 동작중이며 취약점을 지닌 파이썬 스크립트가 하나 있다.
To do this level, log in as the level17 account with the password level17. Files for this level can be found in /home/flag17.
level17(pw: level17) 계정을 이용한다. 관련 파일은 /home/flag17에 있다.
Source code. 소스코드.
About
There is a python script listening on port 10007 that contains a vulnerability.
관련 사항.
10007 포트에서 동작중이며 취약점을 지닌 파이썬 스크립트가 하나 있다.
To do this level, log in as the level17 account with the password level17. Files for this level can be found in /home/flag17.
level17(pw: level17) 계정을 이용한다. 관련 파일은 /home/flag17에 있다.
Source code. 소스코드.
#!/usr/bin/python
import os
import pickle
import time
import socket
import signal
signal.signal(signal.SIGCHLD, signal.SIG_IGN)
def server(skt):
line = skt.recv(1024)
obj = pickle.loads(line)
for i in obj:
clnt.send("why did you send me " + i + "?\n")
skt = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0)
skt.bind(('0.0.0.0', 10007))
skt.listen(10)
while True:
clnt, addr = skt.accept()
if(os.fork() == 0):
clnt.send("Accepted connection from %s:%d" % (addr[0], addr[1]))
server(clnt)
exit(1)
import os
import pickle
import time
import socket
import signal
signal.signal(signal.SIGCHLD, signal.SIG_IGN)
def server(skt):
line = skt.recv(1024)
obj = pickle.loads(line)
for i in obj:
clnt.send("why did you send me " + i + "?\n")
skt = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0)
skt.bind(('0.0.0.0', 10007))
skt.listen(10)
while True:
clnt, addr = skt.accept()
if(os.fork() == 0):
clnt.send("Accepted connection from %s:%d" % (addr[0], addr[1]))
server(clnt)
exit(1)
The main part to look at is the part that receives data of size 1024 Bytes from the client, and performing deserialization by calling "loads()" function of "pickle" module.
주요하게 보아야할 부분은 클라이언트로부터 1024 Bytes 크기의 데이터를 입력받는 부분과, "pickle" 모듈의 "loads()" 함수를 호출하여 역직렬화(Deserialization)를 수행하는 부분이다.
The data transmitted from the client is expected to be serialized data.
클라이언트로부터 전송되는 데이터는 직렬화(Serialization)된 데이터일 것으로 기대하고 있다.
level17@nebula:/tmp$ python ./exploit.py | nc 127.0.0.1 10007
Accepted connection from 127.0.0.1:36499
^C
level17@nebula:/tmp$ ls
exploit.py rst.txt VMwareDnD vmware-root
level17@nebula:/tmp$ cat ./rst.txt
You have successfully executed getflag on a target account
Accepted connection from 127.0.0.1:36499
^C
level17@nebula:/tmp$ ls
exploit.py rst.txt VMwareDnD vmware-root
level17@nebula:/tmp$ cat ./rst.txt
You have successfully executed getflag on a target account