Level 2

Challenge details

Solution

Below shows the content of the source code file. In this level, we were not allowed to use the keywords exec, eval, system, os, import, open, read, write . Meaning that we'll need to figure out a workaround as the command in Level 1 cannot be used anymore.

I was testing out the restrictions on the server, and yes, open triggered the error message.

Python allows us to concatenate strings using the + sign. Thus, I tried to reproduce the same command as Level 1, by concatenating everything together. However, they doesn’t seem to get executed. Instead, those lines just being printed out.

I was wondering does that have anything to do with the print(eval()) function that we saw in the source code earlier, and decided to give it a quick search, with the initial intention to find out what they do.

By clicking on the first link and read through the content, I saw some juicy payloads that might work for the challenge. Firstly, the restrictions listed there were very much similar to what we've got for ours. Secondly, our challenge does not limits on the use of uppercase and lowercase characters. Meaning that we can enter our payload in uppercase, and convert it back to lowercase during execution, by utilizing the lower() function.

It works! A flag was returned.

Flag

GCTF2023{Lev3l_tw0_lessgoooooo_g00d_luck_at_l3v3l_3}