pyjailgolf_3

This challenge was exactly the same as pyjailgolf_1, but with the help() builtin removed from the available builtins in python.

line = input('>>> ')

builtins =  #REDACTED 

flag="[REDACTED]"

if len(line) > 10:
		raise Exception()

try:
		eval(line, {'__builtins__':builtins})
except:
		pass

We could not use the previous solution for pyjailgolf_1, as the help builtin was not available anymore.

After a long, deep, horrible and soul-crushing rabbit hole on python strings, we found out that unicode handling in python is broken, to say the least.

In fact, some particular utf-8 characters get normalized before being parsed by the eval() function. In particular, the character \uFB02 (the ‘fl’ ligature) is parsed as two separate ascii characters, ‘f’ and ‘l’.

If you combine this with the fact that the len() function in python does not count the bytes of a string, but the number of unicode codepoints, you probably see where we are going.

The solution for this challenge was just sending the following string:

print(\uFB02ag)

Result:

pctf{Un1c0d3_i5_sw34t_2}