mind-blasters — TJCTF 2026

Description

Rick's Mind Blows are now protected by a blacklist! You won't be able to hack this one!

Connection: nc tjc.tf 31420 Attachment: server.py

A Python server accepts base64-encoded pickle data and deserializes it using a RestrictedUnpickler with a strict allowlist of only 14 builtins. The deserialized result is converted to a string and returned, but any flag pattern matching tjctf{...} is redacted before output. The goal is to achieve RCE and exfiltrate the flag despite both restrictions.

Analysis

RestrictedUnpickler — Allowlist Model

Unlike the companion challenge "mind blowers" (which uses a blocklist), this challenge uses a strict allowlist. The find_class method only permits loading names from the builtins module that appear in the ALLOWED set:

ALLOWED = {
    'type', 'getattr', 'len', 'range',
    'str', 'int', 'bytes', 'list', 'dict',
    'tuple', 'bool', 'set', 'frozenset', 'bytearray',
}

class RestrictedUnpickler(pickle.Unpickler):
    def find_class(self, module, name):
        if module == 'builtins' and name in ALLOWED:
            return getattr(builtins, name)
        raise pickle.UnpicklingError('not allowed')

This means:

• Only the builtins module is accessible — no os, subprocess, importlib, etc.
• Only 14 specific names are allowed — no eval, exec, __import__, open, license, help, etc.
• Any attempt to load a non-allowed class via pickle's GLOBAL/STACK_GLOBAL opcodes raises UnpicklingError

Output Filter

After deserialization, the server applies a regex to strip the flag:

result_str = re.sub(r'tjctf\{[^}]*\}', '[REDACTED]', result_str)

Even if we achieve RCE and read the flag file, the output will be redacted if it contains the continuous tjctf{...} pattern.

The Critical Vulnerability: getattr.__self__

The key insight is that getattr is in the allowed set. In CPython, built-in functions (builtin_function_or_method type) have a __self__ attribute that points to the module they belong to:

...