hitchhike

A really cute Python escape:

#!/usr/bin/env python3.9
import os

def f(x):
    print(f'value 1: {repr(x)}')
    v = input('value 2: ')
    if len(v) > 8: return
    return eval(f'{x} * {v}', {}, {})

if __name__ == '__main__':
    print("+---------------------------------------------------+")
    print("| The Answer to the Ultimate Question of Life,      |")
    print("|                the Universe, and Everything is 42 |")
    print("+---------------------------------------------------+")

    for x in [6, 6.6, '666', [6666], {b'6':6666}]:
        if f(x) != 42:
            print("Something is fundamentally wrong with your universe.")
            exit(1)
        else:
            print("Correct!")

    print("Congrats! Here is your flag:")
    print(os.getenv("FLAG", "FAKECON{try it on remote}"))

Of course they’re all trivial (e.g. "0 or 42") except the last one, because what can you really put in so that dict() * <anything> doesn’t raise an exception?

I thought: hmmmmmmm.

I tried some combos, thinking maybe there was a type that had an __rmul__ which handled dict()s. Counter()? (Then again, how would I import it?) Sets, the (obscure) complex j, etc. Nope.

Again I thought: hmmmmmmm. It has to be something syntactical or skips the evaluation entirely.

0 if 1 else 42 is too long!

eval(input()) is too long!

__impor..., nah, forget it!

I started at the available functions in __builtins__ and thought: hmmmmmmm.

I know exit is an object, does it provide some kind of trick that— no. Hey, what about the other non-function function, help(), does it… Oh!

Indeed, the help() mini-shell invokes the external programs less or more which can then be used to execute shell commands with !