Shaktictf 22 write-ups
pyjails - level0,level1 and endgame
level0
Description:
Solve level0 of the pyjail series!
Note: The server is running on Ubuntu 22.04.
Flag format: shakti{}
Author: Claire de lune
Intended solution
The intended solution is to use the __builtins__
module to access the import
function and read the flag.
Running the file gives us the following output:
On trying to import the os module, we get the following error:
Which means the import function has been blocked somehow.
So we try to access the __builtins__
module and import the os module from there.
Exploit
__builtins__.__import__('os').system('cat flag.txt')
```
This gives us the flag: `shakti{7h47_w45_7Un!3a36rgjsk9}`
### level1
Description:
Solve level1 of the pyjail series!
Note: The server is running on Ubuntu 22.04.
Flag format: shakti{}
Author: Claire de lune
### Intended solution
The intended solution is to use globals() to find the `__builtins__` module and access the `import` function to read the flag.
Running the file gives us the following output:
![](https://i.imgur.com/a0KytYg.png)
On trying to run the last exploit, we get the following error:
![](https://i.imgur.com/oO3eyPR.png)
Which means the `__builtins__` module has been blocked somehow.
So we try to access the `__builtins__` module using globals().Running globals() gives us the following output:
![](https://i.imgur.com/PtoKmTV.png)
We can see that the `__builtins__.__import__` module is present in the globals() dictionary.
So we try to import the os module from there.
#### Exploit
```python
we_need_you_alive.('os').system('cat flag.txt')
```
This displays the message:
![](https://i.imgur.com/j1sojOZ.png)
The flag is : `shakti{7h47_W45_4_Cl053_C4ll!!!}`
### endgame
Description:
Solve endgame of the pyjail series!
Note: The server is running on Ubuntu 22.04.
Flag format: shakti{}
Author: Claire de lune
### Intended solution
The intended solution is to use globals() to find the `__builtins__` module and access the `import os` function to read the flag.Also the exec function has been blocked.
Running the file gives us the following output:
![](https://i.imgur.com/AT7ASIx.png)
Let's try using the helpline:
![](https://i.imgur.com/SAfMEP2.png)
So the helpline id is the password in the message that was displayed at the end of the last game. The helpline is basically globals() function which shows the banned list containing the functions: print, exec, eval,read,open and globals(). It also shows the os module saved as 'sos' and exec function saved as 'beat_the_master'.
#### Exploit
```python=
beat_the_master('sos.system("cat flag.txt")')
This displays the message:
The flag is: shakti{H0w_D0_y0u_L1k3_35c4p3_r00m5_n0W?}