TI-1337 Plus CE: Abusing CPython internals
Feb. 7, 2021
I wrote a pyjail for DiceCTF this weekend that I was pretty proud of. 7 teams (out of over 1,000) solved it, all using unintended but very cool solutions. I’ll go over my approach, and briefly describe the others when relevant.
Initial analysis
Texas Instruments just released the latest iteration of their best-selling TI-1337 series: the TI-1337 Plus Color Edition!
nc dicec.tf 31337
A custom version of CPython is compiled with some randomized secrets passed to the C preprocessor after applying a patch.
Repl.it XSS
Jun. 26, 2019
I recently found a rather interesting, non-traditional XSS vulnerability in repl.it. I was inspired to try this after reading a writeup for Pastetastic from Google CTF 2019, which showed off some really cool cross-origin stuff with iframes.
In case you’re not familiar with repl.it, it’s basically an online IDE with tons of features, including website hosting. Each program you make runs in its own environment called a “repl” (it’s a lot more than just a read-eval-print loop).
While messing around with how different features worked, I discovered that repls for static sites (HTML, CSS, JS) were previewed in a few nested iframes. Specifically, the site preview consisted of an iframe of https://replbox.repl.it/public/secure/, which contained a blank iframe manipulated by its parent, which was modified to contain an iframe pointing to the URL where the static files are hosted:
https://replbox.repl.it/data/web_hosting_1/<username>/<repl_name>/
Google CTF 2019
Jun. 24, 2019
I played Google CTF as a part of the team pearl this past weekend. We did okay, placing 50th (obviously not a high school CTF). I solved one web challenge that I really liked — gLotto.
gLotto
22 solves, 288 points
Are you lucky?
Analysis
The link goes to a “lottery” website, with tables of past winning tickets and an option to check your ticket. At the bottom of the page, there is a link to show the source.
ångstromCTF 2019
Apr. 24, 2019
This was my second year organizing ångstromCTF. Compared to last year, I wrote a lot more challenges and did a lot more work on the platform. Despite some site stability issues, we still ended up with over 1,300 scoring teams. Here are the challenges I wrote (this is going to be a long post):
- Aquarium, 50 points
- Pie Shop, 100 points
- Returns, 160 points
- Server, 180 points
- Weeb Hunting, 180 points
- TI-1337, 250 points
- Bugger, 200 points
- Control You, 20 points
- DOM Validator, 130 points
- NaaS, 140 points
- GiantURL, 190 points
TJCTF 2018
Aug. 12, 2018
I played TJCTF as part of the team pearl, and we solved every challenge, placing second overall. The Abyss was a Python jail challenge worth 160 points — since I really enjoy this type of challenge, I figured it was worth writing up.
The Abyss
You are able to netcat to a server where you get a Python prompt that execs whatever you enter. However, what you can run is heavily filtered and dangerous functions are filtered from builtins.
The biggest restriction is nothing with __, which prevents most Python jail escapes from working. The solution involves creating a code object, and using that to create a function object that you can run to get the flag.
ångstromCTF 2018
Mar. 22, 2018
I helped organize ångstromCTF this past week, and it was a huge success with over 1,500 scoring teams. Here are the challenges I wrote:
- Sequel, 50 points
- Weird Message, 100 points
- File Storer, 160 points
- The Best Website, 230 points
- ssh, 150 points (co-wrote with defund, check his writeup repository)
Takoma Park CTF
Feb. 5, 2018
I ran TPCTF with a couple friends back in 2017, when I was in middle school. The challenges were pretty bad, but somehow we managed to get 500 teams to play. If you’re interested, you can view the archived website, challenges, and community-created writeups.
