# scorescope - DiceCTF 2023

tl;dr

• sys.modules to print all the app modules
• go through the module classes and find the test case functions and re-write them to always return true

Challenge Points: 156
No. of solves: 55
Solved by: sk4d

## Description

I’m really struggling in this class. Care to give me a hand?

## intro

I played DiceCTF 2023 last weekend with my team bi0s. There a were a lot of awesome web challenges. I have worked on some of the web challenges and this is the write-up for the challenge scorescope

## Initial analysis

We are allowed to upload a python file and the application will run several test cases on the file and if the test cases are successful it will be reflected on the page with a green colour. At first i thought this challenge was kind of a pyjail challenge where we have to bypass certain restrcitions to get command execution but later figured out it was not the case when i saw the functions were frozen and the hidden test which was impossible to pass

## Exploitation

ValueError: Raised when an operation or function receives an argument that has the right type but an inappropriate value,

Since the application only tells us if our test case is successful or not we were not able to directly see the results, we can bypass this by using the ValueError Exception call as it prints whatever we pass to it as an Exception

i had no idea what we were supposed to do in this challenge for a while and i spend some time trying some pyjail exploits and trying to get some juicy information and i tried the sys.modules which gave us all the loaded libraries

these modules caught my eyes and i tried importing them in the payload and went through all the functions and properties of these modules

we saw that all these modules has a class like TestAdd, TestHidden, TestMagic ..etc which had the functions which was called to test the test cases (noise).

This was our final payload for the scorescope challenge , uploading this template.py file will turns all the test cases true and the application gives us the flag. You can ignore the __class__ in our payload because it only points to the TestHidden class itself and you can just do which will also make the hidden test case true

## Conclusion

Thanks to the DiceCTF 2023 organizers for the amazing web challenges as always :)