Username: 
Password: 
Restrict session to IP 
Questions  |  score: 4  |  4.33 6.30 6.67 |  Solved By 502 People  |  81271 views  |  since Apr 12, 2012 - 17:13:32

Py-Tong (Exploit, Python, Warchall)

Py-Tong
A fellow hacker is challenging you to exploit a simple python script.
To exploit it live, you have to create your Warchall account and try your luck there.
To see what it is about you can also view the source here.

Note: It is not required to trigger a race condition, but it should work as well.
Note: You have to use the binary "pytong" not the pytong.py. It is a wrapper which is needed for SETREGID and finally gives the solution.

Happy Challenging!
GeSHi`ed python code for pytong.py
1
2
3
4
56
7
8
9
1011
12
13
14
1516
17
18
19
2021
22
23
24
2526
27
28
29
3031
32
33
34
3536
37
38
39
4041
42
43
44
4546
47
48
49
5051
52
53
54
5556
57
58
59
60
#!/usr/bin/python
import sys
import os
import os.path
 SOLUTION = "/home/level/12/solution.txt"
 
 
# Your main objective is to return True
def main(filepath):        # We want to prevent some noobish solutions
        if any(ipattern in filepath for ipattern in ('proc', 'uptime', 'tmp', 'random', 'full', 'zero', 'null')):
                raise ValueError('nononono: hacking is not allowed')
 
        # You have to give me an valid file!        if not os.path.exists(filepath):
                raise ValueError('sorry file "%s" does not exists' % filepath)
 
        # We are opening the file here and store the content in 'jjk'
        print('opening %s' % filepath)        with open(filepath) as gizmore:
                jjk = gizmore.read()
        print('closed')
 
        # The file was closed, does it still exists?        if not os.path.exists(filepath):
                # The file does not exists anymore, you have found a solution
                print('You are l33t')
                return True
        else:                # Ok, we will reopen the file and store its content in 'kwisatz'
                with open(filepath) as spaceone:
                        kwisatz = spaceone.read()
 
                # Does the content differs from old content?                if jjk != kwisatz:
                        # content differs so return True
                        print('You are a winner')
                        return True
         raise ValueError('fail...')
 
 
if __name__ == "__main__":
        if len(sys.argv) < 2:                print('wrong argcount')
                sys.exit(1)
 
        try:
                # Objective: return True here!                success = main(sys.argv[1])
        except (ValueError, OSError, IOError) as exc:
                print('%s' % (exc,))
                sys.exit(3)
        else:                #os.setuid(os.geteuid())
                os.setgid(os.getegid())
                with open(SOLUTION) as fd:
                        print(fd.read())
 
Your solution for Py-Tong
Answer
© 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022, 2023 and 2024 by space