Misc
Last updated
Last updated
Challenge | Link |
---|---|
I wish these modern pyjails would let me use dunders more..
This challenge is pyjail and the objective is finding the way to do RCE on server through bypassing some blacklist.
There are total 5 protection implemented in the code, below is the details (simplified explanation)
Line 13: The value other then function or attribute can only be string (we can't use integer etc)
Line 14: The length of all the values should be greater than 4
Line 15: The value must be consist of __ in the start and in the end
Line 20: We cannot use the exact "'
values
Line 25: builtins functions are removed
My teammate (daffainfo) send the payload that would be work without the blacklist (1-4).
My task is converting the payload to make it work with the blacklist. Here is the bypass idea
To get the integer value we can use __len__()
To use string values that dont have "__" we can use padding and indext subscribe
And below is the converted payload
do ls
do cat flag_RRkxxMoAAG3mQpoq.txt
Flag: INTIGRITI{y0ur_w15h_w45_6r4n73d_bu7_47_wh47_c057}
Monkey's Paw (384 pts)