Input as a Serivce (Iaas) 1-star rated challenge from the HackTheBox Cyber Apocalypse CTF. This challenge was from the ‘Misc’ section, in contrast to most of the others I attempted! This challenge revolved around a input function vulnerability in a Python web server, which could be exploited to achieve an RCE.
Some initial poking around the site made it clear this was likely to revolve around sending a crafted API or web request. To investigate this, I span up Burp Suite and starting proxying my traffic through Burp. A blank GET request to the server returned output which was recognisable as the output from a Python server, along with debug information.
As we can see from the error on line 12, the server is using the input function, which has a known ‘vulnerability’ in it. This ‘vulnerability’ is that any value which is read by input will be evaluated by Python. To test this, I crafted a packet to try some simple string concatenation, to check if this was a viable path.
Which then responded with
abc123, indicating that we are able to issue commands to the Python server. You can see this on line 7 in the response below.
The next logical step for this vulnerability was to try and extend it to OS command injection, rather than just executing Python scripts. To do this, we would need to use the
os module within Python. This presented some issues, as it appeared the standard way (
import os; os.system('whoami')) of using the
os module was being blocked, I assumed this was most likely due to the spaces within the command being parsed by an HTTP library or similar.
I then found a great blog which covered a very similar CTF challenge, and they used a different method of importing the os module, which avoided the need for any characters which could cause issues. By using the syntax
__import__('os').system('ls -la'), we are able to list the contents of the current directory, showing we have RCE on the server.
We can now see the
flag.txt file, which we can easily view with
cat flag.txt, to reveal a flag of
If you enjoyed this writeup, I have written up several other boxes at this link.