CTFtime.org

Pyjail ATricks

by AnisBoss / the3000

Rating: 4.3

It only needs 3 steps to solve the task :
1- Get **co_consts** of the function which holds the constants used by the function, and because we have the **eval** function we can execute arbitrary commands using characters we get using the documentation of any type (i used **()**) through the following payloads :
```py
a='alles' #now a contains the string 'alles'
a=eval(eval("a."+eval("().__class__.__doc__[17+1]+().__class__.__doc__[19]+().__class__.__doc__[19]+().__class__.__doc__[2+2]+().__class__.__doc__[32]"))()) #evaluate 'alles'.upper() ==> now a contains a reference to the function <function ALLES at 0x7f1c55a942d0>
a=eval("a."+"__code__") #now we point to code object of the function
a=print(eval('a.'+'co_consts')) #print constants used by ALLES function
(None, 'p\x7f\x7frbH\x00DR\x07CRUlJ\x07DlRe\x02N', 'No flag for you!')
```
2- The second step is to get bytecode of the function, we can accomplish this through calling **ALLES.\_\_code\_\_.co_code** using the following payload:
```py
a='alles'
a=eval(eval("a."+eval("().__class__.__doc__[17+1]+().__class__.__doc__[19]+().__class__.__doc__[19]+().__class__.__doc__[2+2]+().__class__.__doc__[32]"))()) #evaluate 'alles'.upper()
a=eval("a."+"__code__")
a = print(eval('a.'+'co_code'))
b'|\x00r\x0et\x00d\x01|\x00\x83\x02S\x00d\x02S\x00d\x00S\x00'
```

3- Finally, we can use the module **dis** to get the disassembly code like the following (don't forget to use python3, python2 provide wrong output)
```
>>> dis.dis(b"|\x00r\x0et\x00d\x01|\x00\x83\x02S\x00d\x02S\x00d\x00S\x00")
0 LOAD_FAST 0 (0)
2 POP_JUMP_IF_FALSE 14
4 LOAD_GLOBAL 0 (0)
6 LOAD_CONST 1 (1)
8 LOAD_FAST 0 (0)
10 CALL_FUNCTION 2
12 RETURN_VALUE
>> 14 LOAD_CONST 2 (2)
16 RETURN_VALUE
18 LOAD_CONST 0 (0)
20 RETURN_VALUE
```
It's obvious that it loads the constant at index 1 which is the non-printables chars we found in first step and call the function that we need to get its name through **co_names** using the following payload
```py
a = 'alles'
a = eval(eval("a."+eval("().__class__.__doc__[17+1]+().__class__.__doc__[19]+().__class__.__doc__[19]+().__class__.__doc__[2+2]+().__class__.__doc__[32]"))())
a = eval("a."+"__code__")
a = print(eval('a.'+'co_na'+().__class__.__doc__[12]+'es'))
('string_xor',)
```
So it's a simple xor function, without further suspense a simple xor with the flag format brings us the key used (1337)
```py
from pwn import *
print xor("p\x7f\x7frbH\x00DR\x07CRUlJ\x07DlRe\x02N","ALLES{")
print xor("1337","p\x7f\x7frbH\x00DR\x07CRUlJ\x07DlRe\x02N")

```

and we get the desired flag **ALLES{3sc4ped_y0u_aR3}**
\o/

Comments