misc/pyjail-1 (#67)

* chall * fixes Co-authored-by: mud-ali <[email protected]>
BCACTF · Jun 3, 2024 · af5fc5e · af5fc5e
1 parent 1cbd895
commit af5fc5e
Show file tree

Hide file tree

Showing 5 changed files with 65 additions and 0 deletions.
diff --git a/pyjail-1/Dockerfile b/pyjail-1/Dockerfile
@@ -0,0 +1,18 @@
+FROM gcc:14-bookworm AS builder
+
+RUN apt-get update && apt-get install -y wget && rm -rf /var/lib/apt/lists/* \
+    && wget -O ynetd.c https://raw.githubusercontent.com/johnsonjh/ynetd/master/ynetd.c \
+    && gcc -o ynetd ynetd.c && rm ynetd.c && chmod +x ./ynetd
+
+FROM python:3.12-slim-bookworm AS runtime
+
+WORKDIR /app
+
+COPY --from=builder /ynetd /app/ynetd
+
+COPY flag.txt /app/flag.txt
+COPY deploy.py /app/deploy.py
+
+EXPOSE 9030
+
+ENTRYPOINT [ "./ynetd", "-p", "9030", "python3 deploy.py 2>&1" ]
diff --git a/pyjail-1/chall.yaml b/pyjail-1/chall.yaml
@@ -0,0 +1,20 @@
+name: PyJail-1
+categories:
+  - misc
+value: 75
+flag:
+  file: flag.txt
+description: |-
+  I cannot get the python file to print the flag, are you able to?
+hints:
+  - How can you access variables in python?
+files:
+  - src: ./deploy.py
+    dest: main.py
+authors:
+  - Jack
+visible: true
+deploy:
+  nc:
+    build: .
+    expose: 9030/tcp
diff --git a/pyjail-1/deploy.py b/pyjail-1/deploy.py
@@ -0,0 +1,15 @@
+def sanitize(letter):
+    print("Checking for contraband...")
+    return any([i in letter.lower() for i in BANNED_CHARS])
+
+BANNED_CHARS = "gdvxftundmnt'~`@#$%^&*-/.{}"
+flag = open('flag.txt').read().strip()
+
+print("Welcome to the prison's mail center")
+msg = input("Please enter your message: ")
+
+if sanitize(msg): 
+    print("Contraband letters found!\nMessage Deleted!")
+    exit()
+
+exec(msg)
diff --git a/pyjail-1/flag.txt b/pyjail-1/flag.txt
@@ -0,0 +1 @@
+bcactf{PyTH0n_pR0_03ed78292b89c}
diff --git a/pyjail-1/solve.md b/pyjail-1/solve.md
@@ -0,0 +1,11 @@
+This is what `PyJail` problems are built off of, where they restrict inputs, functions, or anything else to make it more challenging to get the flag.
+
+Based off of the banned keys, `gdvxftundmn'~`\``@#$%^&*-/.{}`, there are only a few functions we can use, one of which is the key to solving the problem, `locals`.
+
+`locals` is a function that has reference to all of the local parameters, including the `flag` variable which stores the flag. However, it is not as simple as just printing this out, as the `n` and `t` in `print` is blocked by the sanitizer.
+
+To get around this, we can raise an error with a custom error message.
+
+```py
+raise OSError(locals()[chr(102)+chr(108)+chr(97)+chr(103)])
+```