First direction I would think of, I wonder “can I use -c interpret flag to somehow execute the string as python code”. But order matters, so after reading the .py file, the rest is treated as arguments.
Based on the code, we must input an existed filename that combines with .py extension (cmd[1]).
—> What if we can check for other .py file in the filesystem?
A Linux default path for python module is
/usr/lib/python3.x/module_name.pySince the blacklist does not block the . and / character, this means we could traverse to other directory.
We can read the flag location and python version in the Dockerfile.
FROM python:3.11-slim...RUN echo "DH{this_is_not_real_flag}" > flagFrom Dockerfile, we know that Python version is 3.11 and flag file is in /app directory.
We can test the module name with below payload.
http://host8.dreamhack.games:14392/?../usr/lib/python3.11/osThe “No such file …” string does not appear, that means we successfully execute the module file.
The direction now is to find a module that does read the arguments and execute those as Python code. After a while searching, I found the Python standard library timeit.py (doc), which measures execution time of small code snippets.
We can use this library to craft a payload.
http://host8.dreamhack.games:14392/?../usr/lib/python3.11/timeit&import+os&os.system('cat+/app/flag')Then we can successfully get the flag.
🚩 FLAG: DH{there_is_/lib/python3.11/timeit.py}