Recently Updated
Dec 16: Try to escape …
… from the snake cage
Challenge
Santa programmed a secure jail to give his elves access from remote. Sadly the jail is not as secure as expected.
nc challenges.hackvent.hacking-lab.com 1034
Solution
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
$ nc challenges.hackvent.hacking-lab.com 1034
_____
.-'` '.
__/ __ \\
/ \ / \ | ___
| /`\| /`\| | .-' /^\/^\\
| \(/| \(/| |/ |) |)|
.-\__/ \__/ | \_/\_/__..._
_...---'-. / _ '.
/, , \ '| `\ \\
| )) )) /`| \ `. /) /) |
| ` ` .' | `-._ /
\ .' | ,_ `--....-'
`. __.' , | / /`'''`
`'-.____.-' / /, | / /
`. `-.-` .' \ / / |
`-.__.'| \ | | |-.
_.._| | / | | `'.
.-''`` | | | / | `-.
.'` / / / | | '.
/` / / | / |\ \\
/ | | | | /\ |
|| | / | / '. |
|\ \ | / | '. /
\ `. '. / | \ '---'/
\ '. `-./ \ '. /
'. `'. `-._ '.__ '-._____.'--'''''--.
'-. `'--._ `.__ `';----` \\
`-. `-. `."'``` ;
`'-..,_ `-. `'-. /
'. '. '. .'
Challenge by pyth0n33. Have fun!
The flag is stored super secure in the function SANTA!
>>> a =
Looks like a python jail. We poke around a bit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
>>> a = SANTA()
name 'santa' is not defined
>>> a = 2
>>> a = print(a)
2
>>> a = 1
Denied
>>> a = eval('2+2')
>>> print(a)
4
>>> a = 'b'
Denied
>>> a = 'a'
>>> a =
..seems like certain characters are forbidden
possibly useful link
We try inputting all printables to see which are allowed and which aren’t:
1
2
3
4
5
6
7
8
9
allowed:
['0', '1', '2', '3', '7', '9', 'a', 'c', 'd', 'e', 'i', 'l', 'n', 'o', 'p', 'r',
's', 't', 'v', 'A', 'C', 'D', 'E', 'I', 'L', 'N', 'O', 'P', 'R', 'S', 'T', 'V',
'_','"', "'", '(', ')', '+', '.', '[', ']', '\n', '\r']
disallowed:
['4', '5', '6', '8', 'b', 'f', 'g', 'h', 'j', 'k', 'm', 'q', 'u', 'w', 'x', 'y',
'z', 'B', 'F', 'G', 'H', 'J', 'K', 'M', 'Q', 'U', 'W', 'X', 'Y', 'Z', '!', '#',
'$', '%', '&', '*', ',', '-', '/', ':', ';', '<', '=', '>', '?', '@', '\\', '^',
'`', '{', '|', '}', '~', ' ', '\t', '\x0b', '\x0c']
functions we can use:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
eval()
all()
repr()
print()
disallowed:
['abs', 'any', 'apply', 'basestring', 'bin', 'bool', 'buffer', 'bytearray', 'bytes', 'callable', 'chr',
'classmethod', 'cmp', 'compile', 'complex', 'copyright', 'divmod', 'enumerate', 'execfile', 'exit',
'file', 'filter', 'float', 'format', 'frozenset', 'getattr', 'globals', 'hasattr', 'hash', 'help',
'hex', 'input', 'issubclass', 'long', 'map', 'max', 'memoryview', 'min', 'next', 'object', 'open',
'pow', 'property', 'quit', 'range', 'raw_input', 'reduce', 'round', 'staticmethod', 'sum', 'super',
'tuple', 'type', 'unichr', 'unicode', 'xrange', 'zip']
undefined:
['coerce', 'credits', 'delattr', 'dict', 'dir', 'id', 'int', 'intern', 'isinstance', 'iter', 'len',
'license', 'list', 'locals', 'oct', 'ord', 'reload', 'reversed', 'set', 'setattr', 'slice', 'sorted',
'str', 'vars']
other:
['all', 'eval', 'print', 'repr']
Flag