[LRUG] Ruby prison escape challenge

Rob Miller rob at bigfish.co.uk
Wed Jul 11 08:29:08 PDT 2018


The banning-words-with-regex thing was what I got fixated on, so I went 
down the route of creating a payload that behaved like a string, but 
insidiously snuck past the matching logic. Turns out that’s more 
characters than just trying to call the “unlock” method more 
craftily!

On 11 Jul 2018, at 16:19, Stephen Best wrote:

> It has been a pleasure pooling obscure Ruby syntax knowledge.
>
> I can't test it anymore since the site is down and I left the code on 
> my
> work laptop but taking cues from Paul and Murray I may have found a
> solution at 47 chars :O
>
> Can anyone verify if this works?
>
> Re: previous solutions - wasn't `send` banned in regexp?
>
> .
> .
> .
> .
> .
> .
> .
> .
> .
> .
> .
> .
> .
> .
> u=prison.method:unlock;u[*[11]<<"secret"<<self]
>
> On Wed, 11 Jul 2018 at 16:56, Murray Steele <murray.steele at gmail.com> 
> wrote:
>
>> Yup, a fun afternoon.  I initially tried adding a public method to 
>> prison
>> that calls unlock to get around it being private and to do that I had 
>> to
>> construct an array without commas.  That got me to 59.  Seeing the
>> prison.method version from Stephen let me throw away the extra method
>> definition and call unlock directly, and this took me down to 50, and 
>> that
>> “no space for a symbol argument” hint from Paul let me get it to 
>> 49.  Par
>> with Matz!
>>
>> I’m willing to pretend that all the payload size versions I saw 
>> that were
>> smaller than that were all fake (I’m sure that’s not true).  
>> Looking
>> forward to hearing about some more innovative solutions.  I’m sure 
>> there’s
>> a different approach where we can change the prison entirely rather 
>> than
>> working out how to call unlock on it.
>>
>> Thanks for the game Marek!
>>
>> On 11 July 2018 at 16:36, Paul Battley <pbattley at gmail.com> wrote:
>>
>>> That was fun. I used a similar tactic, but couldn't get below 50
>>> (hint: you can save one byte because you don't need a space before a
>>> symbol argument).
>>>
>>> Unfortunately, someone has properly hacked it and removed the
>>> scoreboard data. You could coax the app into revealing the database
>>> connection details pretty easily.
>>>
>>> P
>>>
>>> On 11 July 2018 at 13:52, Stephen Best <bestie at gmail.com> wrote:
>>>> That was really fun, thanks for sharing! Unfortunately I'm getting 
>>>> an
>>>> application error when I submit.
>>>>
>>>> Copying the runtime code you provided I can say this solution 
>>>> "works on
>>> my
>>>> machine" :D
>>>>
>>>> I managed 51 chars. Will you be sharing the solutions soon?
>>>>
>>>> I've copied Rob's very considerate spoiler mitigation tactic
>>>>
>>>> .
>>>> .
>>>> .
>>>> .
>>>> .
>>>> .
>>>> .
>>>> .
>>>> .
>>>> .
>>>> .
>>>> .
>>>> .
>>>> .
>>>> .
>>>> .
>>>> .
>>>> .
>>>> .
>>>> .
>>>> u=prison.method :unlock;u.curry[11]["secret"][self]
>>>>
>>>> On Wed, 11 Jul 2018 at 14:08, Rob Miller <rob at bigfish.co.uk> wrote:
>>>>>
>>>>> Nice challenge! Best I can do is 87, thought I suspect there’s a 
>>>>> much
>>>>> cleverer approach that I haven’t thought of…
>>>>>
>>>>> My solution (after a few linebreaks so people can ignore spoilers 
>>>>> if
>>> they
>>>>> want to):
>>>>>
>>>>> .
>>>>> .
>>>>> .
>>>>> .
>>>>> .
>>>>> .
>>>>> .
>>>>> .
>>>>> .
>>>>> .
>>>>> .
>>>>> .
>>>>> .
>>>>> .
>>>>> .
>>>>> .
>>>>> .
>>>>>
>>>>> payload = Class.new{def
>>>>>
>>> to_str;caller[0]=~/m/?"":"prison.send(:unlock,22,'secret',self)"end;}.new
>>>>>
>>>>> On 11 Jul 2018, at 11:23, Marek L wrote:
>>>>>
>>>>> Hello, lrug-ers.
>>>>> Hope you are enjoying summer and Ruby.
>>>>> I have created a small fun challenge that I thought you may enjoy 
>>>>> as
>>> well.
>>>>>
>>>>> https://ruby-prison-break.herokuapp.com/escapes/new
>>>>>
>>>>> So far, Matz broke it with incredible 49 characters!
>>>>> Happy hacking and feel free to share.
>>>>> Marek
>>>>> _______________________________________________
>>>>> Chat mailing list
>>>>> Chat at lists.lrug.org
>>>>> Archives: http://lists.lrug.org/pipermail/chat-lrug.org
>>>>> Manage your subscription:
>>> http://lists.lrug.org/options.cgi/chat-lrug.org
>>>>> List info: http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>>>>>
>>>>> _______________________________________________
>>>>> Chat mailing list
>>>>> Chat at lists.lrug.org
>>>>> Archives: http://lists.lrug.org/pipermail/chat-lrug.org
>>>>> Manage your subscription:
>>> http://lists.lrug.org/options.cgi/chat-lrug.org
>>>>> List info: http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>>>>
>>>>
>>>> _______________________________________________
>>>> Chat mailing list
>>>> Chat at lists.lrug.org
>>>> Archives: http://lists.lrug.org/pipermail/chat-lrug.org
>>>> Manage your subscription:
>>> http://lists.lrug.org/options.cgi/chat-lrug.org
>>>> List info: http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>>>>
>>> _______________________________________________
>>> Chat mailing list
>>> Chat at lists.lrug.org
>>> Archives: http://lists.lrug.org/pipermail/chat-lrug.org
>>> Manage your subscription: 
>>> http://lists.lrug.org/options.cgi/chat-lrug.org
>>> List info: http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>>>
>>
>> _______________________________________________
>> Chat mailing list
>> Chat at lists.lrug.org
>> Archives: http://lists.lrug.org/pipermail/chat-lrug.org
>> Manage your subscription: 
>> http://lists.lrug.org/options.cgi/chat-lrug.org
>> List info: http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>>


> _______________________________________________
> Chat mailing list
> Chat at lists.lrug.org
> Archives: http://lists.lrug.org/pipermail/chat-lrug.org
> Manage your subscription: 
> http://lists.lrug.org/options.cgi/chat-lrug.org
> List info: http://lists.lrug.org/listinfo.cgi/chat-lrug.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20180711/d84e18be/attachment-0002.html>


More information about the Chat mailing list