PoliCTF 2015 - Hanoi-as-a-Service - Pwnable 50

This challenge gave nothing but a URL: haas.polictf.it 80. For some reason the organizers decided to run a lot of their services on port 80. Netcatting in reveals a simple hanoi solver. Usually when given a service like this with no binary I start inputting values to see what information I can get or if I can cause any errors/crashes. I try a positive, then a negative number.

The program had an error, and it printed out for us. What is prolog?

Prolog is a general purpose logic programming language associated with artificial intelligence and computational linguistics. -Wikipedia

With a little bit of Googling around I tried some syntax:

It looks like it is taking our input and putting it directly between the two parentheses of the hanoi function. This is textbook command injection. To test, I decided to print something simple.

Since the statement ended with a ")." I could leave that off. I did a bit of looking around for ways to execute system commands and I found exec. I ran a test with feedback to make sure it worked.

Got it, so now all there is left to do is find the flag. Usually the flags are kept in the home directory of the user they are running as so I used ls to maneuver my way around. The syntax for adding arguments is strange in prolog.

Catting the file shows the flag!