|
| 1 | +--- |
| 2 | +title: "UIUCTF 2024 (feat. CygnusX)" |
| 3 | +layout: post |
| 4 | +date: 2024-7-1 23:25 |
| 5 | +tag: |
| 6 | +- CTF |
| 7 | +- b01lers |
| 8 | +star: false |
| 9 | +category: blog |
| 10 | +author: B01lers Team |
| 11 | +description: Writeup from UIUCTF 2024 featuring the one and only CygnusX!! |
| 12 | +--- |
| 13 | +## Astea UIUCTF2024 |
| 14 | +470 points - 52 solves |
| 15 | + |
| 16 | +**Author**: Cameron |
| 17 | + |
| 18 | +### Challenge Description: |
| 19 | + |
| 20 | + |
| 21 | +`I heard you can get sent to jail for refusing a cup of tea in England.` |
| 22 | + |
| 23 | +The challenge source is provided below: |
| 24 | +```python |
| 25 | +import ast |
| 26 | + |
| 27 | +def safe_import(): |
| 28 | + print("Why do you need imports to make tea?") |
| 29 | + |
| 30 | +def safe_call(): |
| 31 | + print("Why do you need function calls to make tea?") |
| 32 | + |
| 33 | +class CoolDownTea(ast.NodeTransformer): |
| 34 | + def visit_Call(self, node: ast.Call) -> ast.AST: |
| 35 | + return ast.Call(func=ast.Name(id='safe_call', ctx=ast.Load()), args=[], keywords=[]) |
| 36 | + |
| 37 | + def visit_Import(self, node: ast.AST) -> ast.AST: |
| 38 | + return ast.Expr(value=ast.Call(func=ast.Name(id='safe_import', ctx=ast.Load()), args=[], keywords=[])) |
| 39 | + |
| 40 | + def visit_ImportFrom(self, node: ast.ImportFrom) -> ast.AST: |
| 41 | + return ast.Expr(value=ast.Call(func=ast.Name(id='safe_import', ctx=ast.Load()), args=[], keywords=[])) |
| 42 | + |
| 43 | + def visit_Assign(self, node: ast.Assign) -> ast.AST: |
| 44 | + return ast.Assign(targets=node.targets, value=ast.Constant(value=0)) |
| 45 | + |
| 46 | + def visit_BinOp(self, node: ast.BinOp) -> ast.AST: |
| 47 | + return ast.BinOp(left=ast.Constant(0), op=node.op, right=ast.Constant(0)) |
| 48 | + |
| 49 | +code = input('Nothing is quite like a cup of tea in the morning: ').splitlines()[0] |
| 50 | +cup = ast.parse(code) |
| 51 | +cup = CoolDownTea().visit(cup) |
| 52 | +ast.fix_missing_locations(cup) |
| 53 | + |
| 54 | + |
| 55 | +exec(compile(cup, '', 'exec'), {'__builtins__': {}}, {'safe_import': safe_import, 'safe_call': safe_call}) |
| 56 | +``` |
| 57 | + |
| 58 | +### Approach |
| 59 | + |
| 60 | +After some quick analysis of the code, we realize that the program takes in one line of python code, parses it into an abstract syntax tree, and checks if we have any import nodes, function call nodes, assignment nodes, or binary operation nodes. If we have function call nodes, the call is replaced with a no argument call to the `safe_call` function. If we have imports the same is done to the `safe_import` function. |
| 61 | + |
| 62 | +An assignment node is something like `x = 5` and a binary operation would be something like `x << 5`, in the assignment case, the right side is replaced with a zero. And in the binop case both sides are set to zero. |
| 63 | + |
| 64 | +After these checks, our code is run under `exec` with an empty set of builtins and the `safe_import` and `safe_call` functions defined. |
| 65 | + |
| 66 | +My first step in most pyjails is to recreate the deleted builtins module. This is easily done with `safe_import.__builtins__` or `safe_call.__builtins__`. |
| 67 | + |
| 68 | +Now the next issue is figuring out a way to call a function, as whatever function we call, gets replaced with a call to the `safe_import` function with no arguments. |
| 69 | + |
| 70 | +My next idea was to use the `safe_call` function against the challenge. If we can find some way to modify the `safe_call` function to be some kind of builtin, we can now call functions by simply redefining `safe_call`. |
| 71 | + |
| 72 | +Lets try an example of this below: |
| 73 | +```python |
| 74 | +safe_call=safe_call.__builtins__['print'];a() |
| 75 | +``` |
| 76 | + |
| 77 | +The function call `a()` gets replaced with a call to `safe_call` which is now the `print` function. This is a good start, but we still have an issue of not being able to set parameters to the funciton, and also we cannot actually use assignment nodes to set variables. |
| 78 | + |
| 79 | +After some research, I stumbled upon [this](https://docs.python.org/3/library/ast.html#abstract-grammar), and we can see there are actually two other assignment nodes, `AugAssign` and `AnnAssign`. The `AugAssign` node is an augmented assignment, like `x += 5`, and the `AnnAssign` node is an annotated assignment, like `x: int = 5`. |
| 80 | + |
| 81 | +The `AugAssign` node is perfect for our use case, as we can set the annotation to whatever we want. |
| 82 | + |
| 83 | +Our new updated payload that works on remote looks like this: |
| 84 | + |
| 85 | +```python |
| 86 | +safe_call:0=safe_call.__builtins__['print'];a() |
| 87 | +``` |
| 88 | + |
| 89 | +Python doesnt care what your annotation is, so for payload shortness I just put 0. |
| 90 | + |
| 91 | +Ok, now I just have to read `flag.txt` using only functions that take no parameters. |
| 92 | + |
| 93 | +I had made a python challenge in the past that involved reading from a file using the `license()` function in python. This works perfectly here, because `license()` takes no parameters. |
| 94 | + |
| 95 | +Typically this function prints out the python license, but it actually reads the license from a predefined file. If I just change what file `license()` reads from to `flag.txt`, I can read the flag. |
| 96 | + |
| 97 | +The license function has an attribute `_Printer__filenames` which is a list of files that it can read from. I can just change this list to `['flag.txt']` and then call `license()` to read the flag. |
| 98 | + |
| 99 | +The final payload looks like this: |
| 100 | +```python |
| 101 | +safe_call:0=safe_import.__builtins__['license'];safe_call._Printer__filenames:0=['flag.txt'];a() |
| 102 | +``` |
| 103 | + |
| 104 | +uiuctf{maybe_we_shouldnt_sandbox_python_2691d6c1} |
0 commit comments