From 8661e115d45788020a0befdb0b928f303ec5235f Mon Sep 17 00:00:00 2001 From: Jack-Crowley Date: Tue, 15 Aug 2023 17:12:59 -0400 Subject: [PATCH 1/7] basic script --- jailbreak/main.py | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 jailbreak/main.py diff --git a/jailbreak/main.py b/jailbreak/main.py new file mode 100644 index 0000000..0330f4a --- /dev/null +++ b/jailbreak/main.py @@ -0,0 +1,16 @@ +import time + +def sanitize(letter): + print("Checking for contraband...") + return any([i in letter.lower() for i in BANNED_CHARS]) + +BANNED_CHARS = "" + +print("Welcome to the prison's mail center") +msg = input("Please enter your message: ") + +if not sanitize(msg): + print("Contraband letters found!\nMessage Deleted!") + exit() + +exec(msg) \ No newline at end of file From 386c1c83653f3228fea359ffdcbee2eb662e9a86 Mon Sep 17 00:00:00 2001 From: Jack-Crowley Date: Fri, 18 Aug 2023 12:10:41 -0400 Subject: [PATCH 2/7] finish --- jailbreak/chall.yaml | 14 ++++++++++++++ jailbreak/deploy.py | 15 +++++++++++++++ jailbreak/main.py | 12 +++++++----- jailbreak/solve.md | 17 +++++++++++++++++ 4 files changed, 53 insertions(+), 5 deletions(-) create mode 100644 jailbreak/chall.yaml create mode 100644 jailbreak/deploy.py create mode 100644 jailbreak/solve.md diff --git a/jailbreak/chall.yaml b/jailbreak/chall.yaml new file mode 100644 index 0000000..49ff7ed --- /dev/null +++ b/jailbreak/chall.yaml @@ -0,0 +1,14 @@ +name: JailBreak +categories: + - misc +value: 75 +flag: camp{PYth0n_M4steR_M2!f45} +description: |- + After a recent prison escape due to hidden messages in letters, the facility has tightened security. Can you find a way around these new measures? +hints: + - How can you access variables in python? +files: + - src: ./main.py +authors: + - Jack Crowley +visible: true diff --git a/jailbreak/deploy.py b/jailbreak/deploy.py new file mode 100644 index 0000000..75231e7 --- /dev/null +++ b/jailbreak/deploy.py @@ -0,0 +1,15 @@ +def sanitize(letter): + print("Checking for contraband...") + return any([i in letter.lower() for i in BANNED_CHARS]) + +BANNED_CHARS = "gdvxftundmn'~`@#$%^&*-/.{}" +flag = "camp{PYth0n_M4steR_M2!f45}" + +print("Welcome to the prison's mail center") +msg = input("Please enter your message: ") + +if sanitize(msg): + print("Contraband letters found!\nMessage Deleted!") + exit() + +exec(msg) \ No newline at end of file diff --git a/jailbreak/main.py b/jailbreak/main.py index 0330f4a..4b78286 100644 --- a/jailbreak/main.py +++ b/jailbreak/main.py @@ -1,16 +1,18 @@ -import time - def sanitize(letter): print("Checking for contraband...") return any([i in letter.lower() for i in BANNED_CHARS]) -BANNED_CHARS = "" +BANNED_CHARS = "gdvxftundmn'~`@#$%^&*-/.{}" +flag = "REDACTED" print("Welcome to the prison's mail center") msg = input("Please enter your message: ") -if not sanitize(msg): +if sanitize(msg): print("Contraband letters found!\nMessage Deleted!") exit() -exec(msg) \ No newline at end of file +try: + exec(msg) +except Exception as e: + print(f'Error occured: {str(e)}; Message could not be sent, please report to system administrator') \ No newline at end of file diff --git a/jailbreak/solve.md b/jailbreak/solve.md new file mode 100644 index 0000000..5532bde --- /dev/null +++ b/jailbreak/solve.md @@ -0,0 +1,17 @@ +# JailBreak + +The `exec` function in python is very dangerous, especially with it executing an input given by the user. + +This is what `PyJail` problems are built off of, where they restrict inputs, functions, or anything else to make it more challenging to get the flag. + +Based off of the banned keys, `gdvxftundmn'~`\``@#$%^&*-/.{}`, there are only a few functions we can use, one of which is the key to solving the problem, `locals`. + +`locals` is a function that has reference to all of the local parameters, including the `flag` variable which stores the flag. However, it is not as simple as just printing this out, as the `t` in `print` is blocked by the sanitizer. + +To get around this, we can raise an error with a custom error message. + +``` +raise OSError(locals()[chr(102)+chr(108)+chr(97)+chr(103)]) +``` + +Using the input, the problem exits in an error, but is caught by the `try-except block`, which then prints out the error message. \ No newline at end of file From 4a08ff105258d63a0f7d654ec2b4d0d0734410cf Mon Sep 17 00:00:00 2001 From: Jack-Crowley Date: Fri, 18 Aug 2023 13:02:33 -0400 Subject: [PATCH 3/7] fixes --- jailbreak/deploy.py | 7 +++++-- jailbreak/main.py | 4 ++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/jailbreak/deploy.py b/jailbreak/deploy.py index 75231e7..c47c749 100644 --- a/jailbreak/deploy.py +++ b/jailbreak/deploy.py @@ -3,7 +3,7 @@ def sanitize(letter): return any([i in letter.lower() for i in BANNED_CHARS]) BANNED_CHARS = "gdvxftundmn'~`@#$%^&*-/.{}" -flag = "camp{PYth0n_M4steR_M2!f45}" +flag = "REDACTED" print("Welcome to the prison's mail center") msg = input("Please enter your message: ") @@ -12,4 +12,7 @@ def sanitize(letter): print("Contraband letters found!\nMessage Deleted!") exit() -exec(msg) \ No newline at end of file +try: + exec(msg) +except Exception as e: + print(f'Error occured: {str(e)}; Message could not be sent.') \ No newline at end of file diff --git a/jailbreak/main.py b/jailbreak/main.py index 4b78286..ab64d32 100644 --- a/jailbreak/main.py +++ b/jailbreak/main.py @@ -3,7 +3,7 @@ def sanitize(letter): return any([i in letter.lower() for i in BANNED_CHARS]) BANNED_CHARS = "gdvxftundmn'~`@#$%^&*-/.{}" -flag = "REDACTED" +flag = "camp{PYth0n_M4steR_M2!f45}" print("Welcome to the prison's mail center") msg = input("Please enter your message: ") @@ -15,4 +15,4 @@ def sanitize(letter): try: exec(msg) except Exception as e: - print(f'Error occured: {str(e)}; Message could not be sent, please report to system administrator') \ No newline at end of file + print(f'Error occured: {str(e)}; Message could not be sent.') \ No newline at end of file From a64e08fa6b29fe23f2e90e75143c0781952bac94 Mon Sep 17 00:00:00 2001 From: Jack-Crowley Date: Fri, 18 Aug 2023 13:51:49 -0400 Subject: [PATCH 4/7] fixes --- jailbreak/deploy.py | 13 +++++++++---- jailbreak/main.py | 13 +++++++++---- jailbreak/solve.md | 8 +++----- 3 files changed, 21 insertions(+), 13 deletions(-) diff --git a/jailbreak/deploy.py b/jailbreak/deploy.py index c47c749..65d8e28 100644 --- a/jailbreak/deploy.py +++ b/jailbreak/deploy.py @@ -2,17 +2,22 @@ def sanitize(letter): print("Checking for contraband...") return any([i in letter.lower() for i in BANNED_CHARS]) +def end(): + print("Contraband letters found!\nMessage Deleted!") + exit() + BANNED_CHARS = "gdvxftundmn'~`@#$%^&*-/.{}" -flag = "REDACTED" +flag = "camp{PYth0n_M4steR_M2!f45}" print("Welcome to the prison's mail center") msg = input("Please enter your message: ") if sanitize(msg): - print("Contraband letters found!\nMessage Deleted!") - exit() + end() try: - exec(msg) + x = eval(msg) + if len(x) != len(flag): end() + print(x) except Exception as e: print(f'Error occured: {str(e)}; Message could not be sent.') \ No newline at end of file diff --git a/jailbreak/main.py b/jailbreak/main.py index ab64d32..1569857 100644 --- a/jailbreak/main.py +++ b/jailbreak/main.py @@ -2,17 +2,22 @@ def sanitize(letter): print("Checking for contraband...") return any([i in letter.lower() for i in BANNED_CHARS]) +def end(): + print("Contraband letters found!\nMessage Deleted!") + exit() + BANNED_CHARS = "gdvxftundmn'~`@#$%^&*-/.{}" -flag = "camp{PYth0n_M4steR_M2!f45}" +flag = "REDACTED" print("Welcome to the prison's mail center") msg = input("Please enter your message: ") if sanitize(msg): - print("Contraband letters found!\nMessage Deleted!") - exit() + end() try: - exec(msg) + x = eval(msg) + if len(x) != len(flag): end() + print(x) except Exception as e: print(f'Error occured: {str(e)}; Message could not be sent.') \ No newline at end of file diff --git a/jailbreak/solve.md b/jailbreak/solve.md index 5532bde..20eeccd 100644 --- a/jailbreak/solve.md +++ b/jailbreak/solve.md @@ -6,12 +6,10 @@ This is what `PyJail` problems are built off of, where they restrict inputs, fun Based off of the banned keys, `gdvxftundmn'~`\``@#$%^&*-/.{}`, there are only a few functions we can use, one of which is the key to solving the problem, `locals`. -`locals` is a function that has reference to all of the local parameters, including the `flag` variable which stores the flag. However, it is not as simple as just printing this out, as the `t` in `print` is blocked by the sanitizer. - -To get around this, we can raise an error with a custom error message. +`locals` is a function that has reference to all of the local parameters, including the `flag` variable which stores the flag. But since the `flag` has banned characters, we must use `chr()` function with the ascii value of each letter and join them together. ``` -raise OSError(locals()[chr(102)+chr(108)+chr(97)+chr(103)]) +locals()[chr(102)+chr(108)+chr(97)+chr(103)] ``` -Using the input, the problem exits in an error, but is caught by the `try-except block`, which then prints out the error message. \ No newline at end of file +Using this input, the flag will be printed out. \ No newline at end of file From 0c3fa8611028e133c5fa94e39794ba2c1f391599 Mon Sep 17 00:00:00 2001 From: Jack-Crowley Date: Fri, 25 Aug 2023 16:49:11 -0400 Subject: [PATCH 5/7] make easier --- jailbreak/deploy.py | 25 +++++++------------------ jailbreak/main.py | 25 +++++++------------------ jailbreak/solve.md | 14 ++------------ 3 files changed, 16 insertions(+), 48 deletions(-) diff --git a/jailbreak/deploy.py b/jailbreak/deploy.py index 65d8e28..1e6a205 100644 --- a/jailbreak/deploy.py +++ b/jailbreak/deploy.py @@ -1,23 +1,12 @@ -def sanitize(letter): - print("Checking for contraband...") - return any([i in letter.lower() for i in BANNED_CHARS]) +def sanitize(): + try: + return eval(msg) + except Exception: + return str(msg) -def end(): - print("Contraband letters found!\nMessage Deleted!") - exit() - -BANNED_CHARS = "gdvxftundmn'~`@#$%^&*-/.{}" -flag = "camp{PYth0n_M4steR_M2!f45}" +hidden_flag = "camp{PYth0n_M4steR_M2!f45}" print("Welcome to the prison's mail center") msg = input("Please enter your message: ") -if sanitize(msg): - end() - -try: - x = eval(msg) - if len(x) != len(flag): end() - print(x) -except Exception as e: - print(f'Error occured: {str(e)}; Message could not be sent.') \ No newline at end of file +print("Your message is: "+sanitize()) \ No newline at end of file diff --git a/jailbreak/main.py b/jailbreak/main.py index 1569857..63fb8a2 100644 --- a/jailbreak/main.py +++ b/jailbreak/main.py @@ -1,23 +1,12 @@ -def sanitize(letter): - print("Checking for contraband...") - return any([i in letter.lower() for i in BANNED_CHARS]) +def sanitize(): + try: + return eval(msg) + except Exception: + return str(msg) -def end(): - print("Contraband letters found!\nMessage Deleted!") - exit() - -BANNED_CHARS = "gdvxftundmn'~`@#$%^&*-/.{}" -flag = "REDACTED" +hidden_flag = "REDACTED" print("Welcome to the prison's mail center") msg = input("Please enter your message: ") -if sanitize(msg): - end() - -try: - x = eval(msg) - if len(x) != len(flag): end() - print(x) -except Exception as e: - print(f'Error occured: {str(e)}; Message could not be sent.') \ No newline at end of file +print("Your message is: "+sanitize()) \ No newline at end of file diff --git a/jailbreak/solve.md b/jailbreak/solve.md index 20eeccd..ee2ab60 100644 --- a/jailbreak/solve.md +++ b/jailbreak/solve.md @@ -1,15 +1,5 @@ # JailBreak -The `exec` function in python is very dangerous, especially with it executing an input given by the user. +The `eval` function in python is very dangerous, especially with it evaluating an input given by the user. For instance, if you type evaluatate a string with the value of `randomVariable`, it will evaluatate to the value of a variable `randomVariable`. -This is what `PyJail` problems are built off of, where they restrict inputs, functions, or anything else to make it more challenging to get the flag. - -Based off of the banned keys, `gdvxftundmn'~`\``@#$%^&*-/.{}`, there are only a few functions we can use, one of which is the key to solving the problem, `locals`. - -`locals` is a function that has reference to all of the local parameters, including the `flag` variable which stores the flag. But since the `flag` has banned characters, we must use `chr()` function with the ascii value of each letter and join them together. - -``` -locals()[chr(102)+chr(108)+chr(97)+chr(103)] -``` - -Using this input, the flag will be printed out. \ No newline at end of file +This can be used to retrieve the flag, as when it asked for the user input, if you give it `hidden_flag`, it will print out contents of the `hidden_flag` variable, which in this case is the flag. \ No newline at end of file From 1cb1f6cc869b12345637cc2169426121f319181d Mon Sep 17 00:00:00 2001 From: mud-ali Date: Fri, 25 Aug 2023 17:30:51 +0000 Subject: [PATCH 6/7] combine into one file and allow nonstring values --- jailbreak/deploy.py | 12 ------------ jailbreak/main.py | 12 ++++++++++-- 2 files changed, 10 insertions(+), 14 deletions(-) delete mode 100644 jailbreak/deploy.py diff --git a/jailbreak/deploy.py b/jailbreak/deploy.py deleted file mode 100644 index 1e6a205..0000000 --- a/jailbreak/deploy.py +++ /dev/null @@ -1,12 +0,0 @@ -def sanitize(): - try: - return eval(msg) - except Exception: - return str(msg) - -hidden_flag = "camp{PYth0n_M4steR_M2!f45}" - -print("Welcome to the prison's mail center") -msg = input("Please enter your message: ") - -print("Your message is: "+sanitize()) \ No newline at end of file diff --git a/jailbreak/main.py b/jailbreak/main.py index 63fb8a2..c47bd27 100644 --- a/jailbreak/main.py +++ b/jailbreak/main.py @@ -4,9 +4,17 @@ def sanitize(): except Exception: return str(msg) -hidden_flag = "REDACTED" +try: + global hidden_flag + with open("flag.txt","r") as f: + hidden_flag = f.read() + +except Exception: + hidden_flag = "REDACTED" + print("Welcome to the prison's mail center") msg = input("Please enter your message: ") -print("Your message is: "+sanitize()) \ No newline at end of file +print("Your message is:",end=' ') +print(sanitize()) \ No newline at end of file From 5c41ecc4425fe0fa73b7031c67729494fd3e4bc7 Mon Sep 17 00:00:00 2001 From: mud-ali Date: Fri, 25 Aug 2023 17:30:58 +0000 Subject: [PATCH 7/7] deploy stuff --- jailbreak/Dockerfile | 27 +++++++++++++++++++++++++++ jailbreak/chall.yaml | 9 +++++++-- jailbreak/flag.txt | 1 + 3 files changed, 35 insertions(+), 2 deletions(-) create mode 100644 jailbreak/Dockerfile create mode 100644 jailbreak/flag.txt diff --git a/jailbreak/Dockerfile b/jailbreak/Dockerfile new file mode 100644 index 0000000..5c3e610 --- /dev/null +++ b/jailbreak/Dockerfile @@ -0,0 +1,27 @@ +FROM --platform=linux/amd64 ubuntu@sha256:86ac87f73641c920fb42cc9612d4fb57b5626b56ea2a19b894d0673fd5b4f2e9 AS build + +RUN apt-get update -y && apt-get install -y gcc && apt-get install -y wget && apt-get install -y unzip && rm -rf /var/lib/apt/lists/* + +RUN wget -Oynetd.c https://raw.githubusercontent.com/johnsonjh/ynetd/master/ynetd.c \ + && gcc -o ynetd ynetd.c \ + && rm -f /tmp/ynetd.zip + + +FROM --platform=linux/amd64 python:3.8-slim-buster AS deployer + +RUN useradd -m -d /home/ctf -u 12345 ctf +WORKDIR /home/ctf + +# copy over ynetd +COPY --from=build ynetd ynetd +RUN chmod +x ynetd + +# copy over source and set permissions +COPY . . +RUN chown -R root:root /home/ctf + + +# run and expose +USER ctf +EXPOSE 9999 +CMD ["./ynetd", "-p", "9999", "python3 main.py"] \ No newline at end of file diff --git a/jailbreak/chall.yaml b/jailbreak/chall.yaml index 49ff7ed..cbc6a65 100644 --- a/jailbreak/chall.yaml +++ b/jailbreak/chall.yaml @@ -2,13 +2,18 @@ name: JailBreak categories: - misc value: 75 -flag: camp{PYth0n_M4steR_M2!f45} +flag: + file: ./flag.txt description: |- After a recent prison escape due to hidden messages in letters, the facility has tightened security. Can you find a way around these new measures? hints: - - How can you access variables in python? + - How can you gain access to all global variables in python? files: - src: ./main.py authors: - Jack Crowley visible: true +deploy: + nc: + build: . + expose: 3000/tcp \ No newline at end of file diff --git a/jailbreak/flag.txt b/jailbreak/flag.txt new file mode 100644 index 0000000..54a3304 --- /dev/null +++ b/jailbreak/flag.txt @@ -0,0 +1 @@ +camp{PYth0n_M4steR_M2!f45} \ No newline at end of file