Skip to content

Latest commit

 

History

History
91 lines (73 loc) · 2.19 KB

Solution.md

File metadata and controls

91 lines (73 loc) · 2.19 KB
Raw

Made Sense

  • Tags: Misc, Makekjail, Jail
  • Description: i couldn't log in to my server so my friend kindly spun up a server to let me test makefiles. at least, they thought i couldn't log in :P

Solution

  • When we visit that website, we can see there a link to source code of it.
import os
from pathlib import Path
import re
import subprocess
import tempfile

from flask import Flask, request, send_file

app = Flask(__name__)
flag = open('flag.txt').read()

def write_flag(path):
    with open(path / 'flag.txt', 'w') as f:
        f.write(flag)

def generate_makefile(name, content, path):
    with open(path / 'Makefile', 'w') as f:
        f.write(f"""
SHELL := /bin/bash
.PHONY: {name}
{name}: flag.txt
\t{content}
""")

@app.route('/', methods=['GET'])
def index():
    return send_file('index.html')

@app.route('/src/', methods=['GET'])
def src():
    return send_file(__file__)

# made sense
@app.route('/make', methods=['POST'])
def make():
    target_name = request.form.get('name')
    code = request.form.get('code')

    print(code)
    if not re.fullmatch(r'[A-Za-z0-9]+', target_name):
        return 'no'
    if '\n' in code:
        return 'no'
    if re.search(r'flag', code):
        return 'no'

    with tempfile.TemporaryDirectory() as dir:
        run_dir = Path(dir)
        write_flag(run_dir)
        generate_makefile(target_name, code, run_dir)
        sp = subprocess.run(['make'], capture_output=True, cwd=run_dir)
        return f"""
<h1>stdout:</h1>
{sp.stdout}
<h1>stderr:</h1>
{sp.stderr}
    """

app.run('localhost', 8000)
  • This code below is used to check what we are entering to create a Makefile.
if not re.fullmatch(r'[A-Za-z0-9]+', target_name):
    return 'no'
if '\n' in code:
    return 'no'
if re.search(r'flag', code):
    return 'no'
  • We can't enter "flag" and we have to bypass this system to get the flag. First, what's comes to mind: enter some random letters into the "Target name" field. Then, we can bypass the check, by entering this command.
cat *.txt
  • This will open all the files within the directory. We don't explicitly enter "flag.txt", so the website is not yelling at us. There you will find a flag.
wctf{m4k1ng_vuln3r4b1l1t135}