This challenge asked us to bypass a Python Jail. The script starts removing all built-in stuff from the interpreter and executes our code using ‘exec’.
The goal is to get a shell so we can read the flag file (as we do not know the file name).
Here is the code:
The solution took a big amount of manual searching.
The one interesting thing to comment about is how to bypass the 50 chars limit for the string to be executed (I needed 88 chars for my payload).
In the scope of execution of exec there will be a ‘builtins’ dictionary created. It is empty, but it is there. You can use this to create local symbols that can be used. For example:
In order to change the ‘a’ symbol thou, you have to do it via the ‘builtins’ dictionary.
So like this you can bypass those 50 chars ;)
At the end, my solution looked like this:
Finding that linecache global was really taking time to do manually (the ‘subclasses’ dictionary has too many entries), so I developed this small script to help me (I ran this on the local machine to identify what indexes had the linecache entry):
This has returned me the following:
>>> x [52, 53] >>> z <class 'warnings.WarningMessage'> >>> z <class 'warnings.catch_warnings'>
So now you know what is that index 53 used above.
Thanks to p1ra for the hint on ‘base’ and sigsegv for the nice links :)
The flag was: you_are_the_pyeval_master
Nice readings on the topic that helped me figure this one out.