Skip to content

Latest commit

 

History

History
100 lines (65 loc) · 2.82 KB

pyjails.md

File metadata and controls

100 lines (65 loc) · 2.82 KB
Raw

Shaktictf 22 write-ups

pyjails - level0,level1 and endgame

level0

Description:

Solve level0 of the pyjail series!

Note: The server is running on Ubuntu 22.04.

Flag format: shakti{}

Author: Claire de lune

Intended solution

The intended solution is to use the __builtins__ module to access the import function and read the flag. Running the file gives us the following output:

On trying to import the os module, we get the following error:

Which means the import function has been blocked somehow. So we try to access the __builtins__ module and import the os module from there.

Exploit

 __builtins__.__import__('os').system('cat flag.txt')

This gives us the flag: shakti{7h47_w45_7Un!3a36rgjsk9}

level1

Description:

Solve level1 of the pyjail series!

Note: The server is running on Ubuntu 22.04.

Flag format: shakti{}

Author: Claire de lune

Intended solution

The intended solution is to use globals() to find the __builtins__ module and access the import function to read the flag. Running the file gives us the following output:

On trying to run the last exploit, we get the following error:

Which means the __builtins__ module has been blocked somehow. So we try to access the __builtins__ module using globals().Running globals() gives us the following output:

We can see that the __builtins__.__import__ module is present in the globals() dictionary. So we try to import the os module from there.

Exploit

we_need_you_alive.('os').system('cat flag.txt')

This displays the message:

The flag is : shakti{7h47_W45_4_Cl053_C4ll!!!}

endgame

Description:

Solve endgame of the pyjail series!

Note: The server is running on Ubuntu 22.04.

Flag format: shakti{}

Author: Claire de lune

Intended solution

The intended solution is to use globals() to find the __builtins__ module and access the import os function to read the flag.Also the exec function has been blocked. Running the file gives us the following output:

Let's try using the helpline:

So the helpline id is the password in the message that was displayed at the end of the last game. The helpline is basically globals() function which shows the banned list containing the functions: print, exec, eval,read,open and globals(). It also shows the os module saved as 'sos' and exec function saved as 'beat_the_master'.

Exploit

beat_the_master('sos.system("cat flag.txt")')

This displays the message:

The flag is: shakti{H0w_D0_y0u_L1k3_35c4p3_r00m5_n0W?}