Reverse engineering, Windows internals, x86 magic, low level programming, and everything else I feel like writing about.

CrySyS SecChallenge 2020: 2scripts1hash - 1

Our brand new PaaS is finally open to the public. Unfortunately we don’t have the necessary physical infrastructure to provide big amounts of compute power, but we didn’t want to miss out on such a great market, so we found a way. Instead of going for quantity, we went for quality: you will have a chance to run your code on the computer of our CEO. Just imagine the premium feel, the honor of executing code on the machine of such a powerful and accomplished man! There will surely be many people who want to experience something like that, I’m sure the service will be very successful.

Of course, there are many important and sensitive documents on the computer of our CEO, so we can’t just let you run code unchecked. Luckily, we have a cutting edge dynamic analysis framework, so if you send it there, we can verify that it doesn’t do anything nefarious, so you can send it to the CEO and we can verify that its the same program by comparing md5 hashes.

Categories

Offensive, Cryptography

Files

Solution

Apparently the proper way to solve this challenge would’ve been to collide MD5s of the different scripts. If you check runcode2.py you can see how it decides if it should be ran as a sandbox:

sandbox = len(sys.argv) == 3

However due to an oversight by the creators (thinking that filtering callbacks will prevent importing os and sys) you can just do the same check in your code:

import sys
import os
if len(sys.argv) != 3:
    os.system("cat flag")
print('Hello World!!')

Output:

cd20{REDACTED}
Hello World!!