728x90
반응형
1. intro
2. code 및 분석
2.1. code
#!/usr/bin/env python3
import telnetlib
import json
HOST = "socket.cryptohack.org"
PORT = 11112
tn = telnetlib.Telnet(HOST, PORT)
def readline():
return tn.read_until(b"\n")
def json_recv():
line = readline()
return json.loads(line.decode())
def json_send(hsh):
request = json.dumps(hsh).encode()
tn.write(request)
print(readline())
print(readline())
print(readline())
print(readline())
request = {
"buy": "clothes"
}
json_send(request)
response = json_recv()
print(response)
2.2. 분석
Introduction 분야에 하나 안푼게 있길래 냅다 풀어봄.
코드 상 특별한 것은없고,
텔넷으로 특정 주소에 접속 후 값을 받아오고,
request를 보낸 다음
response를 다시 받아 출력해준다.
일단 실행해봤더니 아래와 같이 출력됐다.
┌[wyv3rn🐲]-(/mnt/c/Users/lmaxl/Downloads)
└> ./telnetlib_example_dbc6ff5dc4dcfac568d7978a801d3ead.py
b"Welcome to netcat's flag shop!\n"
b'What would you like to buy?\n'
b"I only speak JSON, I hope that's ok.\n"
b'\n'
{'error': 'Sorry! All we have to sell are flags.'}
출력해준걸 보니 답이 뻔해보이긴 하지만...
다른건 건드릴만한게 없어 보이고, request에 buy 또는 clothes를 변경해서 전달하는 값을 조작할 수 있을 것 같았다.
우선 buy를 수정해서 보냈더니 아래와 같았다.
┌[wyv3rn🐲]-(/mnt/c/Users/lmaxl/Downloads)
└> ./telnetlib_example_dbc6ff5dc4dcfac568d7978a801d3ead.py
b"Welcome to netcat's flag shop!\n"
b'What would you like to buy?\n'
b"I only speak JSON, I hope that's ok.\n"
b'\n'
{'error': "Sorry, I don't understand you. Try to *buy* an item."}그러므로 수정할 수 있는 것은 하나 뿐.
3. exploit
#!/usr/bin/env python3
import telnetlib
import json
HOST = "socket.cryptohack.org"
PORT = 11112
tn = telnetlib.Telnet(HOST, PORT)
def readline():
return tn.read_until(b"\n")
def json_recv():
line = readline()
return json.loads(line.decode())
def json_send(hsh):
request = json.dumps(hsh).encode()
tn.write(request)
print(readline())
print(readline())
print(readline())
print(readline())
request = {
"buy": "flag"
}
json_send(request)
response = json_recv()
print(response)
┌[wyv3rn🐲]-(/mnt/c/Users/lmaxl/Downloads)
└> ./telnetlib_example_dbc6ff5dc4dcfac568d7978a801d3ead.py
b"Welcome to netcat's flag shop!\n"
b'What would you like to buy?\n'
b"I only speak JSON, I hope that's ok.\n"
b'\n'
{'flag': 'crypto{sh0pp1ng_f0r_fl4g5}'}728x90
반응형
'Wargame > Cryptohack' 카테고리의 다른 글
| Encoding Challenge (0) | 2023.02.15 |
|---|---|
| Legendre Symbol (0) | 2023.02.13 |
| Quadratic Residues (0) | 2023.02.08 |
| Modular Inverting (0) | 2023.02.06 |
| Modular Arithmetic 2 (0) | 2023.02.03 |