Type it
Description
Show me what can you type to read me
Steps
by analyzing the code file we can see that there is an eval used which can be exploited to get the flag
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
#!/usr/bin/env python3
FLAG = "CyberErudites{fake_flag}"
BLACKLIST = "\"%&',-/_:;@\\`{|}~*<=>[] \t\n\r"
def check(s):
return all(ord(x) < 0x7F for x in s) and all(x not in s for x in BLACKLIST)
def safe_eval(s, func):
if not check(s):
print("Input is bad")
else:
try:
print(
eval(
f"{func.__name__}({s})",
{"__builtins__": {func.__name__: func}, "flag": FLAG},
)
)
except Exception as e:
print("Error: " + str(e))
if __name__ == "__main__":
safe_eval(input("Input : "), type)
we can see that the text inside the eval function translates to type(userinputhere)
with that we can start crafting our payload
Solution
the code checks for blacklisted characters which include the quotations but they do not include the . or the () which can be used to call class methods
if we enter the variable flag which is initialized in the *eval globals argument* in the user input we get that the class is a string
with this knowledge we just need to call a string method to show its contents
with this knowledge we can use the payload *flag).encode(flag** to escape the bracket and inject some code before the provided bracket making the function evaluate *type(flag).encode()* getting the flag*
Flag
CyberErudites{wh0_N3Ed$_bR4CkeTS}