UMassCTF'21: ekrpat

ekrpat

Category: misc

322 points

I made so few errors when creating this jail.

nc 34.72.64.224 8083

nc 35.231.20.75 8083

Created by Thomas (Seltzerz #6678)

Hint: Look down at where you’re typing.

Solution

nc 34.72.64.224 8083
Frg-k. xprt.b mf jre.! >ojal. ,cydrgy yd. d.nl ru .kanw .q.jw cmlrpyw rl.bw row p.aew ofoy.mw abe ,pcy.v Ucpoyw .by.p -ekrpat-v Frg ,cnn yd.b i.y abryd.p cblgy ,dcjd frg jab go. ypf yr xp.at rgy ru yd. hacnv
>>> ugabuga
Wrong code to break out. Sorry, try again!

At the beginning I thought it was ciphered with some code. Luckly pnc4 found out, that ekrpat refers to Dvorak Keyboard Layout. After mapping the given text to dvorak, we got the below text:

You've broken my code! Escape without the help of eval, exec, import, open, os, read, system, and write. First, enter 
'dvorak'. You will then get another input which you can use try to break out of the jail.

After typing dvorak we end up in some kinda python jailbreak challenge.

Frg-k. xprt.b mf jre.! >ojal. ,cydrgy yd. d.nl ru .kanw .q.jw cmlrpyw rl.bw row p.aew ofoy.mw abe ,pcy.v Ucpoyw .by.p -e
krpat-v Frg ,cnn yd.b i.y abryd.p cblgy ,dcjd frg jab go. ypf yr xp.at rgy ru yd. hacnv
>>> dvorak
>>> print(dir())
['code', 'keyword', 'text']
['code', 'keyword', 'text']
['code', 'keyword', 'text']
['code', 'keyword', 'text']
['code', 'keyword', 'text']
['code', 'keyword', 'text']
['code', 'keyword', 'text']
['code', 'keyword', 'text']

But when we tried to import module, it didn’t work.

Frg-k. xprt.b mf jre.! >ojal. ,cydrgy yd. d.nl ru .kanw .q.jw cmlrpyw rl.bw row p.aew ofoy.mw abe ,pcy.v Ucpoyw .by.p -e
krpat-v Frg ,cnn yd.b i.y abryd.p cblgy ,dcjd frg jab go. ypf yr xp.at rgy ru yd. hacnv
>>> dvorak
import os
Play by the rules!!! Try again.

Let’s try to trick it ;-)

Frg-k. xprt.b mf jre.! >ojal. ,cydrgy yd. d.nl ru .kanw .q.jw cmlrpyw rl.bw row p.aew ofoy.mw abe ,pcy.v Ucpoyw .by.p -ekrpat-v Frg ,cnn yd.b i.y abryd.p cblgy ,dcjd frg jab go. ypf yr xp.at rgy ru yd. hacnv
>>> dvorak
>>> print(getattr(globals()['__builtins__'], '__imp' + 'ort__')('os').listdir())
['.profile', '.bashrc', '.bash_logout', 'ynetd', 'Dockerfile', 'ekrpat.py', 'flag', 'ojal.']
['.profile', '.bashrc', '.bash_logout', 'ynetd', 'Dockerfile', 'ekrpat.py', 'flag', 'ojal.']
['.profile', '.bashrc', '.bash_logout', 'ynetd', 'Dockerfile', 'ekrpat.py', 'flag', 'ojal.']
['.profile', '.bashrc', '.bash_logout', 'ynetd', 'Dockerfile', 'ekrpat.py', 'flag', 'ojal.']
Play by the rules!!! Try again.

Ok, now we know the flag is placed in flag file.

Frg-k. xprt.b mf jre.! >ojal. ,cydrgy yd. d.nl ru .kanw .q.jw cmlrpyw rl.bw row p.aew ofoy.mw abe ,pcy.v Ucpoyw .by.p -ekrpat-v Frg ,cnn yd.b i.y abryd.p cblgy ,dcjd frg jab go. ypf yr xp.at rgy ru yd. hacnv
>>> dvorak
>>> print(getattr(globals()['__builtins__'], 'op' + 'en')('flag', 'r').read())
UMASS{dvorak_rules}

UMASS{dvorak_rules}

UMASS{dvorak_rules}

UMASS{dvorak_rules}

UMASS{dvorak_rules}

Play by the rules!!! Try again.

Ok, so here’s the flag ;-) And as a bonus I’ve taken a look into challenge code using same method as for flag.

def main():
	print('Frg-k. xprt.b mf jre.! >ojal. ,cydrgy yd. d.nl ru .kanw .q.jw cmlrpyw rl.bw row p.aew ofoy.mw abe ,pcy.v Ucpoyw .by.p -ekrpat-v Frg ,cnn yd.b i.y abryd.p cblgy ,dcjd frg jab go. ypf yr xp.at rgy ru yd. hacnv')
	code = input('>>> ')
	if code == 'dvorak':
		text = input('>>> ')
		for keyword in ['eval', 'exec', 'import', 'open', 'os', 'read', 'system', 'write']:
			if keyword in text:
				print('Play by the rules!!! Try again.')
				return
			else:
				exec(text)
	else:
		print('Wrong code to break out. Sorry, try again!')

if __name__ == "__main__":
	main()

Flag

UMASS{dvorak_rules}

Privacy Policy
luc © 2021