You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: volga2014/index.html
+63
Original file line number
Diff line number
Diff line change
@@ -190,3 +190,66 @@ <h2>Exploits 100</h2>
190
190
</code></pre>
191
191
192
192
<p>The password we extracted by this method was <code>S@nd_will2z0</code>, and providing this as the password returns the flag <code>Time_works_for_you</code>. Perhaps a timing attack was the intended solution?</p>
193
+
194
+
<h2>Exploits 300</h2>
195
+
196
+
<p>We're challenged to escape a jail, and a few first submissions return Python-style errors. </p>
197
+
198
+
<p>Apart from missing builtins, there appear to be no restrictions on input characters, so we don't need any encoding tricks. </p>
199
+
200
+
<p>In a local interpreter I tried to find a reference to <code>os</code> so I could open a shell. We can start by listing the subclasses of <code>object</code>:</p>
<p>To reach <code>object</code> in the challenge, it was necessary to follow the class hierarchy from any object, like a number or tuple. We can instantiate a file object and read it:</p>
<p>Then, we tried reading <code>flag</code>, <code>key</code>, <code>flag.txt</code> and so on, none of which were found. Then, we noticed that we had an absolute path to <code>exploit300.py</code> (<code>/home/john/exploit300.py</code>) in the traceback when EOF is sent. So, we read that absolute path and retrieved the script, included farther below. As suspected, though the builtins are empty, there are no restrictions on input. Now we need to get a shell. <ahref="http://eindbazen.net/2013/04/pctf-2013-pyjail-misc-400/">Eindbazen's pCTF pyjail solution</a> used the same trick to get a list of classes, and then indexed into it to traverse to the <code>os</code> module: </p>
<p>However, this was running in a different Python environment, so it wasn't clear what the class at index 48 was supposed to be. I checked a few numbers around it and found that 52, <code>warningmessage</code>, worked.</p>
<p>Now we had a shell, and in the root directory, which is why <code>flag.txt</code> was not found. The flag was located at <code>/home/john/flag.txt</code>. We should have checked that path earlier.</p>
224
+
225
+
<p>Having solved the problem, we explored the system a bit and found some world-readable VPN configuration files and client keys(!) in <code>/ov/oooooo</code>. We also discovered that flag.txt and exploit300.py were writable by the <code>john</code> user. Though tempting, we didn't modify either. In short, this wasn't much of a sandbox.</p>
226
+
227
+
<p>When trying to find the pyjail solution we referenced, we came across a writeup for picoCTF's Python Eval 5, and discovered that this problem was identical down to the indentation style, apart from a comment, the prompt text, and the allowed length:</p>
228
+
229
+
<pre><code>#!/usr/bin/python -u | from sys import modules
230
+
# task5.py | modules.clear()
231
+
# A real challenge for those python masters out | del modules
Copy file name to clipboardExpand all lines: volga2014/writeups.md
+60
Original file line number
Diff line number
Diff line change
@@ -183,3 +183,63 @@ Then, we test the strings `'baaaaaaaaaaa'`, `'caaaaaaaaaaa'`, and so on until we
183
183
print a
184
184
185
185
The password we extracted by this method was `S@nd_will2z0`, and providing this as the password returns the flag `Time_works_for_you`. Perhaps a timing attack was the intended solution?
186
+
187
+
Exploits 300
188
+
------------
189
+
190
+
We're challenged to escape a jail, and a few first submissions return Python-style errors.
191
+
192
+
Apart from missing builtins, there appear to be no restrictions on input characters, so we don't need any encoding tricks.
193
+
194
+
In a local interpreter I tried to find a reference to `os` so I could open a shell. We can start by listing the subclasses of `object`:
To reach `object` in the challenge, it was necessary to follow the class hierarchy from any object, like a number or tuple. We can instantiate a file object and read it:
Then, we tried reading `flag`, `key`, `flag.txt` and so on, none of which were found. Then, we noticed that we had an absolute path to `exploit300.py` (`/home/john/exploit300.py`) in the traceback when EOF is sent. So, we read that absolute path and retrieved the script, included farther below. As suspected, though the builtins are empty, there are no restrictions on input. Now we need to get a shell. [Eindbazen's pCTF pyjail solution](http://eindbazen.net/2013/04/pctf-2013-pyjail-misc-400/) used the same trick to get a list of classes, and then indexed into it to traverse to the `os` module:
However, this was running in a different Python environment, so it wasn't clear what the class at index 48 was supposed to be. I checked a few numbers around it and found that 52, `warningmessage`, worked.
Now we had a shell, and in the root directory, which is why `flag.txt` was not found. The flag was located at `/home/john/flag.txt`. We should have checked that path earlier.
214
+
215
+
Having solved the problem, we explored the system a bit and found some world-readable VPN configuration files and client keys(!) in `/ov/oooooo`. We also discovered that flag.txt and exploit300.py were writable by the `john` user. Though tempting, we didn't modify either. In short, this wasn't much of a sandbox.
216
+
217
+
When trying to find the pyjail solution we referenced, we came across a writeup for picoCTF's Python Eval 5, and discovered that this problem was identical down to the indentation style, apart from a comment, the prompt text, and the allowed length:
218
+
219
+
#!/usr/bin/python -u | from sys import modules
220
+
# task5.py | modules.clear()
221
+
# A real challenge for those python masters out | del modules
0 commit comments