Tags: misc miscellaneous 

Rating:

Navigating to the page given shows a calculator, as described.

We tried a few things at first, like causing an error:
![](https://codimd.s3.shivering-isles.com/demo/uploads/upload_37435ed3eab9da2748a3382349b0f6ff.png)

Or entering in a calculation that results in 0:
![](https://codimd.s3.shivering-isles.com/demo/uploads/upload_a1f71c50a3b977df725b2413e38a686d.png)

But after doing more research into the `eval()` function in Python - which was most likely doing this calculation work, we realised that it could probably be used to run some shellcode (ish). So we decided to use the `subprocess` module, which allows you to run shell code in Python.

```
__import__('subprocess').getoutput('ls')
```

gaves us this:

```
__pycache__ main.py prestart.sh templates test.txt
```

Printing out `main.py` via
```
__import__('subprocess').getoutput('ls')
```
Printed out the entire `main.py` script that powers the site. A notable variable is `maybe_this_maybe_not`, whose value is the flag.

**Flag**: `DUCTF{3v4L_1s_D4ng3r0u5}`
**Further reading**: [Dangerous Python functions, like `eval()` and the `subprocess` module](https://www.kevinlondon.com/2015/07/26/dangerous-python-functions.html)

Original writeup (https://joyce.fyi/posts/ductf-2020/#addition).