polygl0ts
EPFL's CTF team
Challenge description: “Same as pyjailgolf_1, but now you have only 9 characters”
Source code of the server:
line = input('>>> ')
flag="[REDACTED]"
if len(line) > 9:
raise Exception()
try:
eval(line)
except:
pass
This challenge was slightly trickier than the first python jail, as even help(flag) is too long. It turns out that python is much more broken than you might think,
and running the help() builtin command without any argument will spawn an interactive python help:
>>> help()
Welcome to Python 3.9's help utility!
If this is your first time using Python, you should definitely check out
the tutorial on the Internet at https://docs.python.org/3.9/tutorial/.
Enter the name of any module, keyword, or topic to get help on writing
Python programs and using Python modules. To quit this help utility and
return to the interpreter, just type "quit".
To get a list of available modules, keywords, symbols, or topics, type
"modules", "keywords", "symbols", or "topics". Each module also comes
with a one-line summary of what it does; to list the modules whose name
or summary contain a given string such as "spam", type "modules spam".
help>
From this help, we can run the command modules to make it print a list of all
the modules. After doing this, we saw that pyjailgolf_2 was available as a module to list it’s documentation. Since the authors never specified any documentation
for that module, the python builtin help just prints all the information about that
module, including the value of every variable, which included the flag ^^
pctf{Un1c0d3_i5_sw34t_2}