CTFHub

Writeup

BroBot

发表于 分类于
Challenge | 2020 | CSICTF | Misc | BroBot

点击此处获得更好的阅读体验

WriteUp来源

https://dunsp4rce.github.io/csictf-2020/miscellaneous/2020/07/22/BroBot.html

by vishalananth

题目描述

This BoT can speak, can you ask him the flag? https://telegram.me/csictf_brobot/

题目考点

解题思路

I opened the Telegram App in my mobile and started a conversation with the bot. I tested out all available commands and understood that the bot is a text2voice bot which will convert whatever text we give into an equivalent voice file. We get a github link for the bot's source code when we type /about command.

So, I went ahead and checked the source code of the bot.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
def send_voice_msg(update, context):
    text = update.message.text
    fs = open(f"/home/ctf/{update.message.from_user.id}", "w")
    fs.write(f"echo '{text}'")
    fs.close()
    os.system(
        f"su ctf -c 'sh /home/ctf/{update.message.from_user.id} | espeak -w /home/ctf/{update.message.from_user.id}.wav --stdin'"
    )
    update.message.reply_audio(
        open(f"/home/ctf/{update.message.from_user.id}.wav", "rb")
    )
    os.system(
        f"rm /home/ctf/{update.message.from_user.id}; rm /home/ctf/{update.message.from_user.id}.wav"
    )
    return ConversationHandler.END

We see that the text we give is appended with the echo command and is run and converted to its equivalent audio file using espeak. Since the input is not sanitized, we can make echo execute whatever command we want. Trying '$(cat flag.txt)' give us the following voice file with the flag.

[brobot.wav]({{site.baseurl}}/assets/BroBot/brobot.wav)

Flag

1
csictf{ai_will_take_over_the_world}