Solved by HRJ
The challenge was great, it had two ways of solving it. We were given website in which we can catch a Pokemon, rename a Pokemon, see all our Pokemon and buy Pokeball’s. These were the functionalities.
We were also given the source code of the website which was written using the flask (Link). There were many Pokemon including FLAG was a Pokemon we can understand that by seeing the write-up. The flag was stored in the description of Pokemon ‘FLAG’.
The first way of solving the challenge, by decoding the flask session cookie. We will first base64 decode the cookie and then zlib decompress it.
import zlib
from itsdangerous import base64_decode
cookie ="<session cookie>"
cookie = cookie[1:]
cookie = zlib.decompress(base64_decode(cookie.split(".")[0]))
print cookie
By seeing the source code we can get the HP of the FLAG. The above script will return the description of all the Pokemon. We know the ‘pid’ of the FLAG IS ‘FLAG90’. We will grep the pid and find the flag.
Next way is exploiting the format function in python (Link).
I didn’t have any idea regarding this vulnerability, it was great learning for me. We can control the input which is passed while renaming a Pokemon and the input is directly passed to the format function without any validation. Whoever controls the format string can access potentially internal attributes of objects.
>>> ‘class of {0} is {0.__class__}’.format(42)
“class of 42 is <class ‘int’>”
By accessing the list pykemon in Pykemon class you can get the flag, for that you have to pass the name as : {0.__class__.pykemon}
bi0s 
Leave a Reply