ctf-writeups

Python jail

References:

Table of contents:

cheatsheet

Assign to variables

Call functions

Construct strings

No builtins

No numbers/booleans

Get python/bash shell

jailCTF 2025 impossible

Requirements:

  1. No parens: use obj.__class__.__getitem__ = func and obj[arg] to call function
  2. No spaces or equal signs: use [[]for[a]in[[b]]] instead of a = b
  3. No strings: set obj.__class__.__getattr__ = __import__ and obj.os to import os

Details here.

jailCTF 2025 one

Requirements:

  1. Only one .: use lambda function to reuse value.__getattribute__ call
  2. No builtins: use ().__setattr__.__objclass__.__subclasses__()[os_index].__init__.__globals__['system']('sh') to get shell

Details here.

jailCTF 2025 primal

Requirements:

  1. No eta: no getattr/setattr, use obj[name] to access fields
  2. No builtins: use ().__reduce_ex__(2)[0].__globals__['__builtins__']['__import__']('os') to get os
  3. Words should have prime length: use 'aa'.__len__() for 2, use \xXX in strings

Details here.

CrewCTF 2025 pyfuck

Requirement:

  1. Only alphabetic characters, parentheses and plus sign: use plus sign to construct string, generator syntax and function call
  2. Limited builtins and count of +: search for a short combination to create the intended string

Details here.

CrewCTF 2025 Bytecode Bonanza - Basics

Requirements:

  1. Limit to the following opcodes in Python 3.9:
    1. POP_TOP: pop top element
    2. DUP_TOP: duplicate top element
    3. UNARY_INVERT: invert top element
    4. BINARY_ADD: pop two elements, push the sum of them
    5. POP_JUMP_IF_TRUE: pop top element, jump to target if element is true (non-zero)
    6. EXTENDED_ARG: construct 16 bit argument for the next op
  2. Implement three functions: a-b, 1337 and a*b

Details here.

WHY2025 CTF TitleCase

Use unicode bypass to avoid str.title().

Details here.

FortID CTF 2025 Michael Scottfield

Requirements:

  1. Length <= 500: Easy to achieve
  2. Allow () but no parameters: Use pdb.set_trace() or code.InteractiveConsole().interact()
  3. No strings: Use docstrings and str[index] to create strings
  4. No numbers: Use True as 1
  5. No builtins: Use ().__class__.__base__.__subclasses__()

Details here.

LACTF 2025 farquaad

Requirements:

  1. Only printable characters
  2. No e or E: Use list(x.__dict__)[index] to find strings with e in it and call it via x.__dict__[list(x.__dict__)[index]](args)
  3. No builtins: Use ().__class__.__mro__[1].__subclasses__()

Details here.

scriptCTF 2025 Modulo

Requirements:

  1. No builtins: use ().__class__.__base__.__subclasses__()[os_wrap_index].__init__.__globals__["system"]("sh")
  2. No lowercase letters except c, only allow % binary op: use "%c%c" % (97, 98) to construct strings
  3. No integers: use ()<((),) as 1, use -~x as x+1
  4. No .: use getattr(A, "B") as A.B

Details here.

UIUCTF 2024 Astea

Requirements:

  1. No function call: Use f"{license}" for license._Printer__setup in [function_to_call]] to call function_to_call
  2. No builtins: Use .__builtins__ of the given function to access builtins dict, or .__globals__["__builtins__"] of the given function to access builtins module
  3. No assignment: Use [a:=b] for assignment

Details here.

jailCTF 2024 filterd

Requirement:

  1. Input length <= 14: raise input length limit on the fly
  2. Blacklisted builtins: reuse existing function to re-evaluate

Details here.

jailCTF 2024 no-nonsense

Requirements:

  1. No ([=]): call functions using decorators, @exec\n@input\nclass a: pass
  2. AST name does not appear in input: use unicode bypass
  3. No newlines: use \r instead of \n for multiline code

Details here.

UofTCTF 2024 Jail Zero

Requirements:

  1. No alphabetic: Use Unicode Block “Mathematical Alphanumeric Symbols” to bypass
  2. No numbers: Use (''=='') as 1
  3. No double underscores: Use FULLWIDTH LOW LINE
  4. No builtins: Use ().__class__.__base__.__subclasses__()

Details here.

SECCON 2024 Quals 1linepyjail

Requirements:

  1. Length <= 100: Try hard to reduce input length
  2. Allow () but no parameters: Use sys.modules["pdb"].set_trace()
  3. No builtins: Use ().__class__.__base__.__subclasses__() to find sys

Details here.

ImaginaryCTF 2024 ok-nice

Requirements:

  1. No numbers: Use True as 1
  2. Exception side channel: Use integer division by zero or array out of bounds to guess each character
  3. len(set(input)) <= 17: Reuse characters already appeared

Details here.

ImaginaryCTF 2024 calc

Requirements:

  1. Input is a expression: Use list comprehension to execute multiple statements
  2. Input should match regex: Use 1, to bypass since it is not a full match
  3. Audit hook: Add signal handler, raise signal and change content of the audit hook to bypass

Details here.

NTUA_H4CK 2024 Snekbox

Requirements:

  1. No non-ascii characters
  2. Blacklisted dangerous functions: Use globals()[function_name] to bypass

Details here.

TBTL CTF 2024 Squeezing Tightly On Arm

Requirements:

  1. No ': Use " for strings
  2. Some characters may appear only once: save intermediate values to locals
  3. No builtins: Use ().__class__.__base__.__subclasses__() to bypass

Details here.

TCP1P CTF 2024 typically not a revenge

Requirements:

  1. No numbers: Use arr[[]is[]] for arr[0], arr[not[]is[]] for arr[1], arr[not[]is[]:][not[]is[]] for arr[2]
  2. No parens: Use [class[arg] for class.__class_getitem__ in [function_to_call]] to call function
  3. No assignments or commas: Use [... for a in [b] for c in [d]]
  4. No spaces: Use \f i.e. form feed
  5. No builtins: Use [].__class__.__base__.__subclasses__()
  6. No sys module: Use <class 'os._wrap_close'> to find system

Details here.

TCP1P CTF 2024 functional

Requirements:

  1. Call functions with zero argument, or return value of another function, and all function names should match [ad-z]+

Details here.

TCP1P CTF 2023 PyMagic

Requirements:

  1. No (): Use class.__class_getitem__ and class[] to bypass
  2. No strings: Use docstrings and str[index] to create strings
  3. No numbers: Use True as 1
  4. No spaces: Use \r to bypass while making input() happy
  5. No builtins: Use ().__class__.__base__.__subclasses__()

Details here.

GDG Algiers 2022 Type_it

Requirements:

  1. No non-ascii characters
  2. No blacklisted characters
  3. Prone to string injection

Details here.

ImaginaryCTF Round 23 June 2022 Stackless Jail

Requirements:

  1. Function can only use at most one stack element: use CALL_FUNCTION instead of CALL_METHOD, i.e. use B = A.method; C = B() instead of A.method()

Details here.