Tokyo Westerns/MMA CTF 2nd 2016: Private / Local / Comment

Quizzes about ruby.

Private

Q

class Private
  private
  public_methods.each do |method|
    eval "def #{method.to_s};end"
  end

  def flag
    return "TWCTF{CENSORED}"
  end
end

p = Private.new
Private = nil

A

Enter the scope of p.

def p.f;$><<flag;end;p.f

method(:send).unbind.bind(p)[:flag] can call the flag method, but it is too long ($35$ bytes).

Local

Q

def get_flag(x)
  flag = "TWCTF{CENSORED}"
  x
end

A

Do tracing.

TracePoint.trace(:return){|a|puts a.binding.eval"flag"}

It may be able to get the flag with set_trace_func.

Comment

Q

require_relative 'comment_flag'

and

$ cat comment_flag.rb
# FLAG is TWCTF{CENSORED}

A

The strings of comment_flag.rb is loaded to the memory, and have not been garbage-collected yet.

ObjectSpace.each_object(String){|s|puts s if /TW+CTF/ =~ s}