Pplc. the dump outlet furniture store, buy cc non vbv

Hi, I’m David and my work as a Security Research Engineer at Synack focused primarily on automating vulnerability analysis of iOS applications, fuzzing, and reverse engineering IoT devices. I’ve spoken at a variety of security conferences around the country to present original research and I also like to create and play security games in my free time…Enjoy!
 
Yet another PLC challenge as last year’s?
private: nc ppc1.chal.ctf.westerns.tokyo 10000
local: nc ppc1.chal.ctf.westerns.tokyo 10001
comment: nc ppc1.chal.ctf.westerns.tokyo 10002
restricted_python.7z
These challenges exercised the ability to break out of 3 various restricted python eval calls, a nice primer on using built-in python functionality to bypass restrictions! I found that using ptpython was pretty useful since it has tab completion and you are able to surf your history much easier. If you are completely new to python exploitation I recommend going through the picoctf python eval challenges; I went through the ones from 2013 and was able to use what I learned there on this challenge (picoctf13 is not around anymore but you can check out writeups and follow along on your own). In particular one should know about the dir builtin function which returns an alphabetized list of names comprising (some of) the attributes of the given object, and of attributes reachable from it.
comment.py
comment_flag.py
Comment was super simple, checking the __doc__ attribute reveals the flag. Docstrings are a string literal that occurs as the first statement in a module, function, class, or method definition. Such a docstring becomes the __doc__ special attribute of that object, according to the PEP article on Docstrings .
Pointing this at the server:
local.py
Since the problem name implies the use of the locals() builtin python function I experimented based on this and through that I found the func_code object for get_flag and its constants attribute (co_consts, see this blog for a brief overview of code objects).
The only problem with solving this problem with locals() is I couldn’t seem to figure out how to keep my code under 30 characters! what I had amounted to 40 characters, so I kept trying things – could I reference get_flag directly without using locals()? In fact I could – using the same attributes, even:
Pointing this at the server:
private.py
Private forces us not to use the string ‘Private’ in our code. the first thing i noticed was that using dir we could bypass writing ‘Private’:
Ssing this and string append I found a string that would bypass the ‘Private’ restriction but it was too long:
Surfing around the attributes of Private I found __getattribute__ which is simply a method wrapper around the getattr builtin function. Getattr gets a named attribute from an object; getattr(x, ‘y’) is equivalent to x.y according to the documentation. With getattr we are able to do the same as I was trying to do before but with fewer characters!
Pointing at this server:
Apply to join the Synack Red Team. Become one of the few and fully experience our platform – it’s designed by hackers for hackers. If you’re up for the challenge, apply today , and use code “SRTBLOGS” in your application.
the dump outlet furniture store buy cc non vbv