https://john-jkar.github.io/myblog/tags/chr-bypass/Recent content in Chr-Bypass on 4mN3s14 | CTF Player & StudentHugoen-usWed, 28 Jan 2026 00:00:00 +0000https://john-jkar.github.io/myblog/posts/pwnyctf-pyjail2/Wed, 28 Jan 2026 00:00:00 +0000https://john-jkar.github.io/myblog/posts/pwnyctf-pyjail2/<h1 id="sigpwny-ctf-pyjail-2-writeup--bypassing-python-restrictions">sigpwny CTF: Pyjail 2 Writeup — Bypassing Python Restrictions</h1> <h2 id="challenge-overview">Challenge Overview</h2> <p><strong>URL</strong>: <a href="https://ctf.sigpwny.com/challenges#Meetings/Pyjail%202-633">https://ctf.sigpwny.com/challenges#Meetings/Pyjail%202-633</a></p> <p>A Python jail challenge restricting the <code>exec</code> function with multiple filters:</p> <ul> <li>No quotes (<code>'</code>, <code>&quot;</code>)</li> <li>No <code>x</code> character (blocks <code>exec</code>, <code>eval</code>, hex strings)</li> <li>Limited character set for code execution</li> </ul> <hr> <h2 id="exploitation-strategy">Exploitation Strategy</h2> <h3 id="bypassing-restrictions">Bypassing Restrictions</h3> <table> <thead> <tr> <th>Restriction</th> <th>Bypass Technique</th> </tr> </thead> <tbody> <tr> <td><strong>No quotes</strong></td> <td>Build strings using <code>chr()</code></td> </tr> <tr> <td><strong>No <code>x</code> character</strong></td> <td>Use <code>chr(88).lower()</code> → <code>'X'.lower()</code> → <code>'x'</code></td> </tr> <tr> <td><strong>Blocked functions</strong></td> <td>Use <code>__import__()</code> instead of <code>import</code></td> </tr> </tbody> </table> <h3 id="payload-construction">Payload Construction</h3> <p>Build <code>/flag.txt</code> path without quotes or literal <code>x</code>:</p>