RSS
 

5138 – Escape from Python City

10 Dec 2015
CTF: Hacking Lab
Link to challenge: https://www.hacking-lab.com
Date Completed: 10 December 2015

I connect to the server and am presented with the following message:

I type in ls and am presented with the following:

I am in a python sandbox and must escape or read the key.txt file somehow. I try to simply type in sh and get the following message:

I notice the exception and figure I am in a try block. So I try to escape any outer loops using continue and break  but these both fail. I shortly realise I am assigning some value to x  but I can use ;  to run multiple commands.

I try to run: 1;print 'test'  which sets x  to 1 and prints ‘test’. This however fails because I realise I cannot use spaces! Going back to the exception I am getting, I see group is being used so my initial reaction is to use regular expressions so the exception does not happen (as the x  object will have a .group()  attribute).

I try to feed in: re.match(r'(.*)','test')
However, re is not defined! I can’t import it in the regular way as that involves a space, I try to use  __import__('re')  but it is not defined. I also try to run reload(__builtins__) to try and reload the import definition but reload is not defined either.

At this stage I try various things, one being to check to see what variables are defined in the function, I run 1;print(globals()) and get:

This tells me I have an  a  variable as well as an  e  exception variable! I experiment a little and discover my a  variable is actually evaluated before the  group()  exception is raised. So this allows me to do various things (I experiment a lot at this stage). I notice that file is not defined but object is! I’m going to use object to find the offset of the file subclass.

First I run a short test on my local machine:

It tells me the offset is at 40 but this is obviously different for the remote machine. I eventually find that file  is at offset 58 on the remote machine (trial and error).

I can now try to call file with the path of key.txt as the argument and I will attempt to call read()  on the object which should allow me to read the file.

I try the following (setting a  to what I want to be evaluated):

Unfortunately, the remote host instantly terminated the connection. This is because I used the phrase key.txt. I use a bit of trickery here and try the following instead:

This prints out the key.txt file!

Contents:

Bonus:

Since we leaked the name of the python script before, we can actually leak the python source too.
We run:

And get the source:

 

Security Questions:

1,2,3: See above

4. Explain mitigation (remedy)
The issue here is that I was able to call __subclasses__() . The sandbox needs to undefine this (add it to the UNSAFE list) and block all commands that contain __ . With that change the sandbox is much stronger and seemingly unbreakable.

 
No Comments

Posted in Hacking Lab

 

Leave a Reply