2022-07-30: Treebox - Python AST sandbox challenge from Google CTF 2022

A screenshot of Google CTF website with the challenge Treebox visible. The challenge is worth 50 points, and has the following description: I think I finnaly got Python sandboxing right.While writing an article on how "Hello World" actually works in Python (written with j00ru and Adam Sawicki, and published in 100th issue of the Polish Programista magazine; we'll publish the English translation on our blogs around September/October 2022) I've played a bit with Python's ast module (as in Abstract Syntax Tree) and decided it would make a cool CTF challenge if I would make some restrictions on AST level and have folks try to bypass it.

This wasn't of course the first challenge using AST on a CTF, though I did think to check only after I've already implemented it. Thankfully other challenges use different restrictions, so there was no collisions. Here are some of them though (leave a comment in case I've missed some):

Eventually the challenge was published at Google CTF 2022 in the Sandbox category under the name of Treebox and was solved 268 times, making it the easiest (or most popular? ;>) challenge of the CTF.

Screenshot of the console. The first line contains the command line to connect to the challenge: nc -v treebox.2022.ctfcompetition.com 1337. Then the connection is shown to be established and the challenge asks for the player's code, and the a delimiter in form of two dashes and the word END all caps. The example code written is: print('Your code goes here') followed by the delimiter. Last line contains an error: Banned statement ast Call.

The challenge is likely still online when you're reading this blog post (if it's not, let me know) and you need only netcat to enjoy it. Just follow the link above, download the source code and have fun!

There are only 3 AST-level restrictions in Treebox:

  • you can't call a function,
  • you can't use import,
  • and you can't use import from.

What was wonderful about the way players solved it, was that every solution was unique in some way. There were of course clusters of solutions converging around this or that feature, but at the end of the day the solutions were pretty different.

Since the solutions contain spoilers, I've posted them in a separate note in case readers would like to try their luck first.

Warning SPOILERS: Treebox solutions (it's at the bottom of this set of notes)

Whether you try the challenge first or now, if you enjoy Python I greatly recommend looking at the solutions. They are extremely clever in some cases, and fun in every case.

Have fun!

Read more... [ 0 comments ]

2022-05-28: Mega Sekurak Hacking Party - Czerwiec 2022

Coś mi mówi, że muszę trochę częściej coś wrzucać na bloga. Poprzedni post był o grudniowym Mega Sekurak Hacking Party 2021, a ten jest o... czerwcowym Mega Sekurak Hacking Party 2022. Zapewne stali czytelnicy mojego bloga kojarzą ten organizowany przez Sekurak/Securitum event - jest to jednodniowe wydarzenie, z serią wykładów z różnych działek hakingu. Tym razem, jak poprzednio, jest to event on-line.

Kiedy/gdzie: 13 czerwca 2022 r., On-line
Więcej informacji: https://hackingparty.pl/
Sklep z biletami biletu: https://sklep.securitum.pl/mshp-edycja-zdalna-czerwiec-2022
Cena biletu: ~370 PLN (jest też opcja VIP za ~2300 PLN)
Ma być taniej: mshp-gyn-30 (30% zniżki)

Have Fun!

Czytaj dalej... [ 0 komentarzy ]

Five newest or recently updated notes (these are unfinished posts, code snippets, links or commands I find useful but always forget, and other notes that just don't fit on the blog):

Click here for a list of all notes.

EN Security papers and research notes

Some conference slides are linked at the bottom of this page.

EN Selected vulnerabilities

The full list of vulnerabilities discovered by me (including collaborative work) can be found here (please note that the list might be out of date).

The Google Application Security / Research site might also contain some of my findings.

EN Coding (selected posts)
EN Tools and libraries
  • PiXieServ is a simplified PXE (network boot) server for Windows and Linux-based OS, created for testing of very small home-made OS. See also the post about it.
  • ExcpHook, a system-wide exception monitor for Windows XP 32-bit. Useful if you're fuzzing something that doesn't like having a debugger attached.
  • Ent is an entropy measuring tool for reverse engineering reconnaissance (see also a post explaining how to use it).
  • HiperDrop is a simple command line process memory dumper for Windows, with a few different work modes.
  • asmloader - this little app executes headerless machine code (compiled assembly code). It's meant to be an aid in learning/teaching and playing with assembly, as well as the right tool when you just need to execute some machine code.
  • NetSock is a simple socket/networking lib/wrapper for C++ I've wrote back in 2003 and update from time to time - I use it for most of my network-enabled projects.
PL Videotutoriale i podcasty [ 0 views | 0 videos | 0 subscribers ]

Subscribe to me on YouTube W wolnym czasie prowadzę videocasty na żywo o programowaniu, reverse engineeringu oraz hackingu/security:

Livestream | Kanał na YT | Archiwum starszych odcinków

Najnowszy odcinek: Gynvael's Livestream #75: Implementujemy serwer FTP
[ 0 thumbs up | 0 comments | 0 views ]

Dodatkowo: ReverseCraft - starsza seria podcastów o reverse engineeringu i assembly.

PL Edukacyjnie (wybrane posty)

Dla programistów:

Security / hacking:

  • Hacking - jak uczyć się security/hackingu i spać spokojnie.

Dodatkowo, kilka przemyśleń na temat odnajdywania się na rynku pracy w IT:

PL Programowanie (wybrane posty)

← trochę więcej postów jest po angielskojęzycznej stronie.

PL Gamedev i GFX (wybrane posty)

Grafika generowana proceduralnie:

【 design & art by Xa / Gynvael Coldwind 】 【 logo font (birdman regular) by utopiafonts / Dale Harris 】