![]() To find the actual ruby script that is running we can first check /proc/self/cmdline which will return rubymemeshop.rb. Doing so, we will receive a binary, but in fact it is the ruby interpreter. To dump the binary we can simply read from /proc/self/exe. Next step would be to dump the binary so we can reverse engineer it and find a way to actually exploit it. Ok so we can dump arbitrary files with this primitive. If we provide /etc/passwd base64 encoded to print receipt, we will get the output: ok, let me know your order number bro : L2V0Yy9wYXNzd2Q = ok heres ur receipt or w / e root : x : 0 : 0 : root :/ root :/ bin / bash daemon : x : 1 : 1 : daemon :/ usr / sbin :/ usr / sbin / nologin bin : x : 2 : 2 : bin :/ bin :/ usr / sbin / nologin sys : x : 3 : 3 : sys :/ dev :/ usr / sbin / nologin Dumping Files With these information one can assume that the print receipt option will probably open the file and read the content. We can get the order number if we use the check out option, which will output it base64 encoded: ur receipt is at 元RtcC9tZW1lMjAxNTA5MjItNjAyNy01ZXVoN3I = - b64decode : / tmp / meme20150922 - 6027 - 5 euh7rĪs we can see the base64 decoded string is simply a path to a temporary file. With p we can print a receipt and it will ask for an order number: ok, let me know your order number bro : > 123 sry br0, i have no records of that Most options will simply output a meme, but there is some interesting ones though. lets see what is on the menu rint receipt from confirmation number ic cage ( RARE MEME ) erp d ge ( OLD MEME, ON SALE ) ry ( SHUT UP AND LET ME TAKE YOUR MONEY ) n an cat ike a sir r skeletal ( doot doot ) humbs up t ollface. After connecting we see a menu like this: so. We are only given an ip/port to connect to, no binary was provided. ![]() ‘memeshop’ was a pwnable worth 400 points in the latest CSAW CTF.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |