/..

#CONTENT

#TOP

chal.py
1 KiB2024-04-10 03:03
chroot.sh
83 bytes2024-04-10 03:03
Dockerfile
468 bytes2024-04-10 03:03
flag.txt
66 bytes2024-04-10 03:03
hook.sh
203 bytes2024-04-10 03:03
README.mdx
2 KiB2024-12-09 17:25
run.sh
59 bytes2024-04-10 03:03
solve.zig
91 bytes2024-04-10 03:03

#zig-jail-1

This isn't c anymore you can't just #include the flag right?

nc chal.amt.rs 1515

unvariant <-     author jail <-   category 485 <-     points 4 <-     solves medium <- difficulty

zig-jail-1 was inspired by the classic challenge where you use #include "flag.txt" in order to leak the flag.

There are three possible ways to read external files in comptime:

#@embedFile

@embedFile reads an external file and returns the contents as a byte array.

ZIG
   1 
 

   2 
 


const flag = @embedFile("flag.txt");
@compileLog(flag);

#@import

@import can read external files, but with a restriction that it can only target files that end with a .zig file extension. Since the flag is located in flag.txt, @import is not able to actually read the flag.

#@cImport and @cInclude

These two macros can be used to achieve the same effect as #include "flag.txt" in normal C.

ZIG
   1 
 

   2 
 

   3 
 


@cImport({
    @cInlude("flag.txt");
});

However all of these methods are explicitly blacklisted by the jail, because that would be too easy wouldn't it :D.

#solution

Apart from @cInclude there is also @cDefine and @cUndef which provide #define and #undef from zig.

ZIG
   1 
 

   2 
 

   3 
 


@cImport({
    @cDefine("DEBUG", "1");
});

Turns out that they simply take the strings and paste it directly into a temporary buffer, and allows funny things like:

ZIG
   1 
 

   2 
 

   3 
 


@cImport({
    @cDefine("HM", "1\n#include <flag.txt>");
});

which would generate the equivalent c of:

C
   1 
 

   2 
 


#define HM 1
#include <flag.txt>

and is enough to leak the flag on remote through the error message.