Censorship

Understanding the code

The code for the challenge is below. Note that I have added some comments to help.

#!/usr/local/bin/python
flag = 'flag' # set by me locally

for _ in [flag]:
    while True:
        try:
            code = ascii(input("Give code: ")) # Make sure it's ascii, if not, convert to unicode. Also adds '\\'
            if "flag" in code or "e" in code or "t" in code or "\\" in code: # blacklist, '\\' so that we cannot use unicode characters 
                raise ValueError("invalid input")
            exec(eval(code)) # Execute
        except Exception as err:
            print(err) # Print error

Blacklist

This was the first pyjail out of the three pyjail series. I was surprised how blacklisting two characters can make it hard to solve. We can’t use exec, eval, breakpoint,import,__builtins__! I tried for a long time, and I discovered that we can use lambdaand that lambda is a very helpful function. We can also use ascii, which is what makes us not being able to use unicode characters.

Making a payload

Well, we can define functions using lambda, we can have ascii in our input and ascii is a function. So what are we waiting for? Let’s overwrite that ascii function! so lets start with ascii = lambda. How many arguments are given to the ascii function? 1. What if we return the argument itself? Then that means the ascii function does nothing!

Payload

Our payload is now ascii = lambda arg:arg. But that doesn’t give us the flag. But lets us use unicode characters in python. so we can do a simple 𝕡𝕣𝕚𝕟𝕥(𝕗𝕝𝕒𝕘). So first we send payload one, which is ascii = lambda arg:arg, then we send our second payload, 𝕡𝕣𝕚𝕟𝕥(𝕗𝕝𝕒𝕘).

Flag - amateursCTF{i_l0v3_overwr1t1nG_functions..:D}

Conclusion

By reading the flag, I think I had the intended solution. This was an amazing challenge and I really loved it! I could’nt solve the other two pyjails, but they were intresting too!