Post

HackTheBox Locked Away Challenge

Posted
By x3ric
2 min read

Explore the basics of cybersecurity in the Locked Away Challenge on Hack The Box. This very-easy-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.

https://app.hackthebox.com/challenges/717

Description

A test! Getting onto the team is one thing, but you must prove your skills to be chosen to represent the best of the best. They have given you the classic - a restricted environment, devoid of functionality, and it is up to you to see what you can do. Can you break open the chest? Do you have what it takes to bring humanity from the brink?

Source

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

banner = r'''
.____                  __              .___    _____                        
|    |    ____   ____ |  | __ ____   __| _/   /  _  \__  _  _______  ___.__.
|    |   /  _ \_/ ___\|  |/ // __ \ / __ |   /  /_\  \ \/ \/ /\__  \<   |  |
|    |__(  <_> )  \___|    <\  ___// /_/ |  /    |    \     /  / __ \\___  |
|_______ \____/ \___  >__|_ \\___  >____ |  \____|__  /\/\_/  (____  / ____|
        \/          \/     \/    \/     \/          \/             \/\/     
'''

def open_chest():
    with open('flag.txt', 'r') as f:
        print(f.read())

blacklist = [
    'import', 'os', 'sys', 'breakpoint',
    'flag', 'txt', 'read', 'eval', 'exec',
    'dir', 'print', 'subprocess', '[', ']',
    'echo', 'cat', '>', '<', '"', '\'', 'open'
]

print(banner)

while True:
    command = input('The chest lies waiting... ')

    if any(b in command for b in blacklist):
        print('Invalid command!')
        continue

    try:
        exec(command)
    except Exception:
        print('You have been locked away...')
        exit(1337)

Exploitation

1
2

blacklist.clear()
open_chest()

Summary

The Locked Away Challenge on Hack The Box introduces the fundamentals of Python Jail exploitation and blacklist bypass techniques. By analyzing a restricted environment where certain keywords and functions are blocked, you dynamically manipulate the program to clear the blacklist. This allows execution of restricted functions, ultimately retrieving the flag. The challenge is ideal for beginners exploring Python security, input validation bypasses, and understanding the limitations of blacklists in secure coding practices.

challenge
htb challenge writeup linux misc
This post is licensed under CC BY 4.0 by the author.