Лаборатория TJCTF 2016 - Use the Force [web 80]

delimitry
, 1 июня 2016

Flask web application with unicode lower/upper issue.

On the page a link to this wep app source code is given. Web app is written in Python 3 using the Flask microframework. 
Check function that gives a flag is obfuscated. 

My teammate Yalegko deobfuscated it. The core part is:

all(
    itertools.starmap(
        operator.contains,
        zip(
            itertools.repeat(list([0, 32])),
            itertools.starmap(
                operator.sub,
                zip(
                    map(ord, text.lower()),
                    map(ord, text.upper())
                )
            )
        )
    )
)

So to get a flag we need to find such text, where the ASCII difference of uppercase and lowercase chars (for each text char) is not 0 or 32. I.e. in Python "abc".upper() gives "ABC", and "ABC".lower() gives "abc". Non letter characters' case is not changes. I.e. "123_+".upper() gives "123_+".

At first sight, it seems impossible, but after some search I've found a discussion https://bugs.python.org/issue1528802.

Some unicode characters give unexpected results after uppercase and lowercase conversion.
See also:
http://stackoverflow.com/questions/7491680/unicode-characters-having-asymmetric-upper-lower-case-why
http://www.moserware.com/2008/02/does-your-code-pass-turkey-test.html

So I've entered: "ı" or "œ" and got the flag:

tjctf{99f47fbbc74e814a9a00a6458d4e5c12}