helpを呼び出したら、ページャーとして猫が来ました。
ncで繋ぐと以下のような表示がされた
_ _ _ _ _ _ _ _ _ _
| |__ (_) |_ ___| |__ | |__ (_) | _____| || | | |__
| '_ \| | __/ __| '_ \| '_ \| | |/ / _ \ || |_| '_ \
| | | | | || (__| | | | | | | | < __/__ _| |_) |
|_| |_|_|\__\___|_| |_|_| |_|_|_|\_\___| |_| |_.__/
----------------------------------------------------------------------------------------------------
# Source Code
import os
os.environ["PAGER"] = "cat" # No hitchhike(SECCON 2021)
if __name__ == "__main__":
flag1 = "********************FLAG_PART_1********************"
help() # I need somebody ...
if __name__ != "__main__":
flag2 = "********************FLAG_PART_2********************"
help() # Not just anybody ...
----------------------------------------------------------------------------------------------------
Welcome to Python 3.10's help utility!
If this is your first time using Python, you should definitely check out
the tutorial on the internet at https://docs.python.org/3.10/tutorial/.
Enter the name of any module, keyword, or topic to get help on writing
Python programs and using Python modules. To quit this help utility and
return to the interpreter, just type "quit".
To get a list of available modules, keywords, symbols, or topics, type
"modules", "keywords", "symbols", or "topics". Each module also comes
with a one-line summary of what it does; to list the modules whose name
or summary contain a given string such as "spam", type "modules spam".
help>自身をhelpに叩き込むことが出来ればフラグを得ることが出来そうに見えた。
なので__main__を入れたらフラグの前半が得られた。
help> __main__
Help on module __main__:
NAME
__main__
DATA
__annotations__ = {}
flag1 = 'ctf4b{53cc0n_15_1n_m'
FILE
/home/ctf/hitchhike4b/app_35f13ca33b0cc8c9e7d723b78627d39aceeac1fc.pyまた例に書いてある中でmodulesがかっこよかったので入れた
help> modules
Please wait a moment while I gather a list of all available modules...
__future__ _testmultiphase getpass sched
_abc _thread gettext secrets
_aix_support _threading_local glob select
_ast _tkinter graphlib selectors
_asyncio _tracemalloc grp setuptools
_bisect _uuid gzip shelve
_blake2 _warnings hashlib shlex
_bootsubprocess _weakref heapq shutil
_bz2 _weakrefset hmac signal
_codecs _xxsubinterpreters html site
_codecs_cn _xxtestfuzz http smtpd
_codecs_hk _zoneinfo idlelib smtplib
_codecs_iso2022 abc imaplib sndhdr
_codecs_jp aifc imghdr socket
_codecs_kr antigravity imp socketserver
_codecs_tw app_35f13ca33b0cc8c9e7d723b78627d39aceeac1fc importlib spwd
_collections argparse inspect sqlite3
_collections_abc array io sre_compile
_compat_pickle ast ipaddress sre_constants
_compression asynchat itertools sre_parse
_contextvars asyncio json ssl
_crypt asyncore keyword stat
_csv atexit lib2to3 statistics
_ctypes audioop linecache string
_ctypes_test base64 locale stringprep
_curses bdb logging struct
_curses_panel binascii lzma subprocess
_datetime binhex mailbox sunau
_dbm bisect mailcap symtable
_decimal builtins marshal sys
_distutils_hack bz2 math sysconfig
_elementtree cProfile mimetypes syslog
_functools calendar mmap tabnanny
_gdbm cgi modulefinder tarfile
_hashlib cgitb multiprocessing telnetlib
_heapq chunk netrc tempfile
_imp cmath nis termios
_io cmd nntplib textwrap
_json code ntpath this
_locale codecs nturl2path threading
_lsprof codeop numbers time
_lzma collections opcode timeit
_markupbase colorsys operator tkinter
_md5 compileall optparse token
_multibytecodec concurrent os tokenize
_multiprocessing configparser ossaudiodev trace
_opcode contextlib pathlib traceback
_operator contextvars pdb tracemalloc
_osx_support copy pickle tty
_pickle copyreg pickletools turtle
_posixshmem crypt pip turtledemo
_posixsubprocess csv pipes types
_py_abc ctypes pkg_resources typing
_pydecimal curses pkgutil unicodedata
_pyio dataclasses platform unittest
_queue datetime plistlib urllib
_random dbm poplib uu
_sha1 decimal posix uuid
_sha256 difflib posixpath venv
_sha3 dis pprint warnings
_sha512 distutils profile wave
_signal doctest pstats weakref
_sitebuiltins email pty webbrowser
_socket encodings pwd wheel
_sqlite3 ensurepip py_compile wsgiref
_sre enum pyclbr xdrlib
_ssl errno pydoc xml
_stat faulthandler pydoc_data xmlrpc
_statistics fcntl pyexpat xxlimited
_string filecmp queue xxlimited_35
_strptime fileinput quopri xxsubtype
_struct fnmatch random zipapp
_symtable fractions re zipfile
_sysconfigdata__linux_x86_64-linux-gnu ftplib readline zipimport
_testbuffer functools reprlib zlib
_testcapi gc resource zoneinfo
_testimportmultiple genericpath rlcompleter
_testinternalcapi getopt runpy
Enter any module name to get more help. Or, type "modules spam" to search
for modules whose name or summary contain the string "spam".そしてこの中のapp_35f13ca33b0cc8c9e7d723b78627d39aceeac1fcがかっこいいと思ったので、それを入れたら再び同じソフトが起動してしまった。
なのでquitしたらなんかもうひとつフラグが出た。
help> app_35f13ca33b0cc8c9e7d723b78627d39aceeac1fc
_ _ _ _ _ _ _ _ _ _
| |__ (_) |_ ___| |__ | |__ (_) | _____| || | | |__
| '_ \| | __/ __| '_ \| '_ \| | |/ / _ \ || |_| '_ \
| | | | | || (__| | | | | | | | < __/__ _| |_) |
|_| |_|_|\__\___|_| |_|_| |_|_|_|\_\___| |_| |_.__/
----------------------------------------------------------------------------------------------------
# Source Code
import os
os.environ["PAGER"] = "cat" # No hitchhike(SECCON 2021)
if __name__ == "__main__":
flag1 = "********************FLAG_PART_1********************"
help() # I need somebody ...
if __name__ != "__main__":
flag2 = "********************FLAG_PART_2********************"
help() # Not just anybody ...
----------------------------------------------------------------------------------------------------
Welcome to Python 3.10's help utility!
If this is your first time using Python, you should definitely check out
the tutorial on the internet at https://docs.python.org/3.10/tutorial/.
Enter the name of any module, keyword, or topic to get help on writing
Python programs and using Python modules. To quit this help utility and
return to the interpreter, just type "quit".
To get a list of available modules, keywords, symbols, or topics, type
"modules", "keywords", "symbols", or "topics". Each module also comes
with a one-line summary of what it does; to list the modules whose name
or summary contain a given string such as "spam", type "modules spam".
help> quit
You are now leaving help and returning to the Python interpreter.
If you want to ask for help on a particular object directly from the
interpreter, you can type "help(object)". Executing "help('string')"
has the same effect as typing a particular string at the help> prompt.
Help on module app_35f13ca33b0cc8c9e7d723b78627d39aceeac1fc:
NAME
app_35f13ca33b0cc8c9e7d723b78627d39aceeac1fc
DATA
flag2 = 'y_34r5_4nd_1n_my_3y35}'
FILE
/home/ctf/hitchhike4b/app_35f13ca33b0cc8c9e7d723b78627d39aceeac1fc.py
help>ctf4b{53cc0n_15_1n_my_34r5_4nd_1n_my_3y35}
なんかガチャガチャしてたら解けました。