Tag: pyjail
TI-1337 Plus CE: Abusing CPython internals
Feb. 7, 2021
I wrote a pyjail for DiceCTF this weekend that I was pretty proud of. 7 teams (out of over 1,000) solved it, all using unintended but very cool solutions. I’ll go over my approach, and briefly describe the others when relevant.
Initial analysis
Texas Instruments just released the latest iteration of their best-selling TI-1337 series: the TI-1337 Plus Color Edition!
nc dicec.tf 31337
A custom version of CPython is compiled with some randomized secrets passed to the C preprocessor after applying a patch.
ångstromCTF 2019
Apr. 24, 2019
This was my second year organizing ångstromCTF. Compared to last year, I wrote a lot more challenges and did a lot more work on the platform. Despite some site stability issues, we still ended up with over 1,300 scoring teams. Here are the challenges I wrote (this is going to be a long post):
- Aquarium, 50 points
- Pie Shop, 100 points
- Returns, 160 points
- Server, 180 points
- Weeb Hunting, 180 points
- TI-1337, 250 points
- Bugger, 200 points
- Control You, 20 points
- DOM Validator, 130 points
- NaaS, 140 points
- GiantURL, 190 points
TJCTF 2018
Aug. 12, 2018
I played TJCTF as part of the team pearl, and we solved every challenge, placing second overall. The Abyss was a Python jail challenge worth 160 points — since I really enjoy this type of challenge, I figured it was worth writing up.
The Abyss
You are able to netcat to a server where you get a Python prompt that execs whatever you enter. However, what you can run is heavily filtered and dangerous functions are filtered from builtins.
The biggest restriction is nothing with __, which prevents most Python jail escapes from working. The solution involves creating a code object, and using that to create a function object that you can run to get the flag.
