Tags: python warmup jail
Rating:
# escaped - Beginner (50 pts)
## Description
> nya
>
> nc escaped.wolvctf.io 1337
### Provided files
`jail.py` - the Pyhon script running on the server \[[download](https://ctfnote.shinmai.wtf:31337/files/downloadFile?id=scxfFwUWyt42tUf)\]
`Dockerfile` - the Dockerfile for the container hosting the script \[[download](https://ctfnote.shinmai.wtf:31337/files/downloadFile?id=mV6tR8MaFrMs3Am)\]
## Ideas and observations
1. the script is a very simple Pyhon jail that takes user input, checks if for some syntax requirements, passes it to `eval()` inside an `ast.compile()` call that compiles an AST that prints the return value of the `eval()` and then runs the compiled result
2. the syntax checks are:
1. the input must start with a double quote
2. the input must end with a double quote
3. no character in between can be a literal double quote
3. Must break out of quotes and read `flag.txt`
## Solution
1. since any escape sequences in the input won't be evaluated until the call to `eval()` we can break out of our opening double quotes with `\x22`
2. sending an input like `" \x22+open('flag.txt').read()+\x22 "` will concatenate the contents of `flag.txt` with two whitespace characters and print the result, giving us the flag
`wctf{m30w_uwu_:3}`
