Project Sekai - ❌-misc-setjail

Project Sekai

🔒 CrewCTF 2023 / ❌-misc-setjail

setjail - 1000 points

Category: Misc Description: What can you do with one set? Author : Satoooon nc setjail.chal.crewc.tf 8085 Files:

https://crewc.tf/files/0716edb46af5c7e85d46770fcda82fd3/setjail.zip?token=eyJ1c2VyX2lkIjoyMSwidGVhbV9pZCI6MTYsImZpbGVfaWQiOjM5fQ.ZKjt6g.C1Nx66haH5lmRfmpugHe1Z6ErZk

Tags: No tags.

Sutx pinned a message to this channel. 07/07/2023 10:02 PM

@unpickled admin bot wants to collaborate

@Violin wants to collaborate

this looks like absolute hell btw

04:27

looks like overwriting sys.stdout.flush, but

04:27

ast wont allow functions?

04:28

or perhaps, overwriting print

04:28

but both need funcs

04:29

i will say

04:29

if this was the case:

04:30

path = input("path: ")
value = to_value(input("value: "))
.....
module = input("import: ")
__import__(module)

it would be a trivial challenge as then you could abuse the antigrav module with overwriting os.environ (edited)

unpickled admin bot

path = input("path: ")
value = to_value(input("value: "))
.....
module = input("import: ")
__import__(module)

it would be a trivial challenge as then you could abuse the antigrav module with overwriting os.environ (edited)

(should clarify while it may seem reaching os is not possible, its trivial)

04:37

random._os!

04:38

importing sys is def the best

04:38

because sys gives us alot more modules

04:45

given os we can get posix without raising the posix check

04:51

8.5 KB

04:52

shared by os, posix, and their types

@Legoclones wants to collaborate

wow wtf is this

06:00

hmm so we can set the attribute of anything of void to a literal

06:01

valid datatypes for value - strings, bytes, numbers, tuples, lists, dicts, sets, booleans, and None (edited)

06:05

And then it looks like walk takes each part of path and passes each through the same validation function, so those are the only types allowed for value or anywhere in path (unless we find mistake in regex parsing), but I'm guessing intended solution is not? I guess I'll go under the assumption no trickeries in checks, but if find nothing I'll come back and challenge this assumption

06:06

here's the other thing - it's setjail, I don't see anything that specifically points to a set tho in code? So maybe it's a hint towards actual solution?

06:07

dir(void) = ['__builtins__', '__cached__', '__doc__', '__file__', '__loader__', '__name__', '__package__', '__spec__']

how do any imports help us? can we even use it at all?

06:21

Like I can't set value to sys.version even tho it's a string

@Surg wants to collaborate

Legoclones

dir(void) = ['__builtins__', '__cached__', '__doc__', '__file__', '__loader__', '__name__', '__package__', '__spec__']

well

13:18

sorry wrong msg

Legoclones

how do any imports help us? can we even use it at all?

importing a module can provide code execution

13:18

consider the antigravity module for example

13:18

it opens a web browser

13:19

so like if that was imported after our set, we could add a BROWSER var to os.environ

ahhh

unpickled admin bot

random._os!

just realised no cuz

13:56

[word in item_key

stuff in os/posix we can overwrite

2.12 KB

14:14

p sure everything capitalised in the beginning are args to posix

14:15

seems env overwriting is the way to go (edited)

https://docs.python.org/3/using/cmdline.html#envvar

1. Command line and environment

The CPython interpreter scans the command line and the environment for various settings. CPython implementation detail: Other implementations’ command line schemes may differ. See Alternate Impleme...

ok i think the module that gives us the most is distutils

15:40

we get all of sys.modules + subproc

distutils.sys.modules['sysconfig']._CONFIG_VARS we can write to this

wait

i'm waiting

unpickled admin bot

distutils.sys.modules['sysconfig']._CONFIG_VARS we can write to this

do we know if sysconfig is just a clone?

17:02

or does it actually change shit

17:06

ok no checking source it does not

17:06

:<<<<<

kurenaif_pray

whats killing my ideas rn is p much

22:45

we have to import first

22:45

like, there are libraries which if you could set smthng then import you can get them to run code for you

could we hijack apport?

no

23:56

we cannot

23:56

auidchaiusdcjhaiuscda

welp tried my last few ideas, so now imma just read docs on common modules

@kanon wants to collaborate

nonak elloh

02:38

ytlaeh era sliajyp

WE CAN RUN STUFF TWICE??????

14:45

HOW

14:45

WHAT

14:45

aint there any while true

Image attachment

14:47

ogh

14:47

import main

14:47

runs it again

14:47

gives us another setattr

14:47

THATS SO SMART

14:47

:////////////////////////////////////////////////////////////

14:47

im an idiot

14:47

ok

Hmm

14:49

Interesting approach

14:49

Intended doesn't run twice tho

ye

14:49

ctypes

14:50

had no clue ctypes had environ access

14:50

ig what i prob shouldve done is recursed all available modules to check for an env var (edited)

14:50

welp

What would an import main exp start to look like

i fucked up

¯\_(ツ)_/¯

14:50

1st is 1st

:/ ye but im not first in pyjail so im sadge for now (edited)

14:51

PYTHONINSPECT kinda cool tho

Exported 89 message(s)