Blacklist

Challenge description you can run anything on this! please dont hack me Source code blacklist = "._0x/|?*[]{}<>\"'=()\\\t " blacklist2 = ['eval', 'exec', 'compile', 'import', 'os', 'sys', 'cat', 'ls', 'exit', 'list', 'max', 'min', 'set', 'tuple'] def validate(code): for char in blacklist: if char in str(code): return False for word in blacklist2: if word in str(code): return False return True if __name__ == '__main__': print("------------------------------") print("Welcome to my very cool python interpreter! \nI hope I blacklisted enough... \nYou can never be too careful with these things...") print("Send an empty line to run!") print("------------------------------") safe_code = "" while (True): unsafe_code = input(">>> ") if (unsafe_code == ""): try: exec(safe_code) except: print("Error executing!") break unsafe_code = unsafe_code.replace("open", "") unsafe_code = unsafe_code.replace("print", "") if (not validate(unsafe_code)): print("Invalid code!") continue safe_code += str(unsafe_code)+ "\n" First analysis In this challenge we had to read the flag.txt file. The script let us upload python code trough the while loop, blacklisting a number of characters. Most notably: ...

March 20, 2023 · 3 min · Lombax

chicago

Challenge description Keygenme…sort of Author: akhbaar The keygen As usual, we start by trying to run the executable. ./chicago but unfortunately, we get ... Bad lenght! ... Opening the file with ghidra, we see that the file is a rust compiled executable, with A TON of functions (I suppose from the rust standard library). After some time we find the main, with an interesting portion of code: if (local_1a8 < 10) { FUN_00107480("Bad length ... So the length of the input must be at least 10. Also, after some analysis and variable renaming, we find that ...

March 20, 2023 · 2 min · VaiTon

ez-class

Source code ez-class.py First analysis It seems we can write a class to a file, and open that class. But we also have restrictions on what we can write that are applied when input gets validated by get_legal_code. When running and selecting 1. Write new class we are prompted with {class name} {parent} {number of methods} for each method: {name{i}} {params{i}} {body{i}} and out class will look like: class {class name}({parent}): def {name{1}}({params{1}}): {body{1}} def {name{2}}({params{2}}): {body{2}} ... In exec_class() our class gets printed, so my_class.__repr__() gets run to get it’s string representation. ...

March 20, 2023 · 2 min · Max

Padlock

Challenge description Mindblown by ioccc? How can someone write programs like this… Anyway, try open this padlock :) Author: bronson113 Source file quine.c First analysis The source code is a C program that prints itself. It’s a quine, a program that prints its own source code. If we compile the program and run it, we are welcomed by a zsh: segmentation fault ./quine Maybe it needs some arguments? Let’s try with ./quine 1: ...

March 20, 2023 · 2 min · VaiTon