This page looks best with JavaScript enabled

MetaCTF 2025 CTF

 ·  ☕ 2 min read  ·  👨‍💻 g4nd1v

Description

We’re auditing some websites to check if they’re GDPR compliant, and I’m pretty sure this site isn’t…

Writeup

When we visit the website, and when we open the devtools, we will see the flag in Cookie tab.
Pasted image 20250227183918

Flag

MetaCTF{n0nc0ns3nsu4l_c00ki3_cr4ckd0wn}

better_eval()

Description

I just want to let people run python code, but they keep trying to read flag.txt. So, I made a better eval that has filters to stop this!
Download the code here and connect to the remote instance with nc kubenode.mctf.io 30019
In the event that remote instance goes down, you can also use nc host5.metaproblems.com 5110. These two are identical, this is just the backup.

Writeup

When we see the source code, we will see it the website is using eval but there are certain filters.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

#!/usr/local/bin/python
def better_eval(untrusted_code):
    blocked_terms = ["flag", "+", "import", "os", "eval", "exec"]
    for term in blocked_terms:
        if term in untrusted_code:
            print(f"The term {term} is filtered!")
            return
    try:
        # Execute the user input in the restricted environment without globals or locals
        print(eval(untrusted_code))
    except Exception as e:
        print(f"Error: {e}")

while True:
    untrusted_code = input("Enter your python code> ")
    better_eval(untrusted_code)

Here are the payload we can test to bypass python sandbox: https://book.hacktricks.wiki/en/generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html
For example, if we want to read /etc/passwd file, we can use open("/etc/passwd").read()
Pasted image 20250227184933
But, if you try to read flag.txt, you will get error, because flag is blocked word.
Pasted image 20250227185026
Similar to flag, exec, +, import and others are also blocked. So what can we do? Oh boy, there are multiple solutions.

  1. Using format string - open("{0}{1}{2}{3}.txt".format('f','l','a','g')).read()
  2. Convert to ascii - open(''.join([chr(102),chr(108),chr(97),chr(103),'.','t','x','t'])).read()
  3. encoding/decoding and so on…
    Pasted image 20250227185242

Flag

MetaCTF{f1l73rs_d0_n0t_s3cur3_u}

Till Delete Do Us Part

Description

I was messing with trying to dual boot, and while trying to fix partitions, I accidentally deleted the one on my wedding flash drive I carelessly had plugged in! Please help me recover it!
Download the artifact here.

Writeup

The file contains usb.img file. We can use testdisk to view file testdisk usb.img.

  1. Select usb.img > Proceed
  2. Select Intel > Analyse > Quick Search > Press P to read the files > Press a to select all files > Press C to copy the selected files
    Pasted image 20250227190517
  3. Use C to paste to destination location and when we check our local file structure, we will see all the content
    Pasted image 20250227190758
    There are nested directories in CTF. We can use find utility: find . -type d -printf '%P\n' | tr -d '/' | tr -d '\n'
    Pasted image 20250227190923
    we will get {n0t_ev3n_d3l3t10n_c4n_s3part3_u5}

Flag

MetaCTF{n0t_ev3n_d3l3t10n_c4n_s3part3_u5}

Share on
g4nd1v
WRITTEN BY
g4nd1v
Pentester

©2025, All Rights Reserved