kmh's blog

Tag: pyjail


TI-1337 Plus CE: Abusing CPython internals

Feb. 7, 2021

I wrote a pyjail for DiceCTF this weekend that I was pretty proud of. 7 teams (out of over 1,000) solved it, all using unintended but very cool solutions. I’ll go over my approach, and briefly describe the others when relevant.

Initial analysis

Texas Instruments just released the latest iteration of their best-selling TI-1337 series: the TI-1337 Plus Color Edition!

nc dicec.tf 31337

ti1337plusce.tar.gz

A custom version of CPython is compiled with some randomized secrets passed to the C preprocessor after applying a patch.

Continue Reading »


ångstromCTF 2019

Apr. 24, 2019

This was my second year organizing ångstromCTF. Compared to last year, I wrote a lot more challenges and did a lot more work on the platform. Despite some site stability issues, we still ended up with over 1,300 scoring teams. Here are the challenges I wrote (this is going to be a long post):

Continue Reading »


TJCTF 2018

Aug. 12, 2018

I played TJCTF as part of the team pearl, and we solved every challenge, placing second overall. The Abyss was a Python jail challenge worth 160 points — since I really enjoy this type of challenge, I figured it was worth writing up.

The Abyss

You are able to netcat to a server where you get a Python prompt that execs whatever you enter. However, what you can run is heavily filtered and dangerous functions are filtered from builtins.

The biggest restriction is nothing with __, which prevents most Python jail escapes from working. The solution involves creating a code object, and using that to create a function object that you can run to get the flag.

Continue Reading »