Blacklist

Challenge description you can run anything on this! please dont hack me Source code blacklist = "._0x/|?*[]{}<>\"'=()\\\t " blacklist2 = ['eval', 'exec', 'compile', 'import', 'os', 'sys', 'cat', 'ls', 'exit', 'list', 'max', 'min', 'set', 'tuple'] def validate(code): for char in blacklist: if char in str(code): return False for word in blacklist2: if word in str(code): return False return True if __name__ == '__main__': print("------------------------------") print("Welcome to my very cool python interpreter! \nI hope I blacklisted enough... \nYou can never be too careful with these things...") print("Send an empty line to run!") print("------------------------------") safe_code = "" while (True): unsafe_code = input(">>> ") if (unsafe_code == ""): try: exec(safe_code) except: print("Error executing!") break unsafe_code = unsafe_code.replace("open", "") unsafe_code = unsafe_code.replace("print", "") if (not validate(unsafe_code)): print("Invalid code!") continue safe_code += str(unsafe_code)+ "\n" First analysis In this challenge we had to read the flag.txt file. The script let us upload python code trough the while loop, blacklisting a number of characters. Most notably: ...

March 20, 2023 · 3 min · Lombax

ez-class

Source code ez-class.py First analysis It seems we can write a class to a file, and open that class. But we also have restrictions on what we can write that are applied when input gets validated by get_legal_code. When running and selecting 1. Write new class we are prompted with {class name} {parent} {number of methods} for each method: {name{i}} {params{i}} {body{i}} and out class will look like: class {class name}({parent}): def {name{1}}({params{1}}): {body{1}} def {name{2}}({params{2}}): {body{2}} ... In exec_class() our class gets printed, so my_class.__repr__() gets run to get it’s string representation. ...

March 20, 2023 · 2 min · Max

Euler's License

Someone who doesn’t care about bandwidth usage decided to package both the server and client binaries in a single file… The server of course is meant to run on linux, and the client on Windows. We get a PowerShell file eulers_license.ps1 that contains: a binary_linux var containing the server code encoded in base64. a binary_win var containing the client code also encoded in base64. The linux binary The linux binary is very easy to reverse. In fact by decoding it we get a python server which has a huge SQLi vuln: ...

April 18, 2022 · 2 min · VaiTon