csictf 2020

CTF Writeup - https://ctftime.org/event/1081

Home csictf 2020 Writeups Home
22 July 2020

BroBot

by vishalananth

This BoT can speak, can you ask him the flag? https://telegram.me/csictf_brobot/

Solution

I opened the Telegram App in my mobile and started a conversation with the bot. I tested out all available commands and understood that the bot is a text2voice bot which will convert whatever text we give into an equivalent voice file. We get a github link for the bot’s source code when we type /about command. So, I went ahead and checked the source code of the bot.

def send_voice_msg(update, context):
    text = update.message.text
    fs = open(f"/home/ctf/{update.message.from_user.id}", "w")
    fs.write(f"echo '{text}'")
    fs.close()
    os.system(
        f"su ctf -c 'sh /home/ctf/{update.message.from_user.id} | espeak -w /home/ctf/{update.message.from_user.id}.wav --stdin'"
    )
    update.message.reply_audio(
        open(f"/home/ctf/{update.message.from_user.id}.wav", "rb")
    )
    os.system(
        f"rm /home/ctf/{update.message.from_user.id}; rm /home/ctf/{update.message.from_user.id}.wav"
    )
    return ConversationHandler.END

We see that the text we give is appended with the echo command and is run and converted to its equivalent audio file using espeak. Since the input is not sanitized, we can make echo execute whatever command we want. Trying '$(cat flag.txt)' give us the following voice file with the flag.

brobot.wav

Flag

csictf{ai_will_take_over_the_world}
tags: Miscellaneous