TokyoWesterns CTF 4th 2018 Writeup — Part 5

Abdelkader Belcaid
Sep 9, 2018 · 5 min read

07/09/2018 15:07 PM UTC+2

TokyoWesterns CTF 4th 2018 Writeup — Part 5

In this part I will talk about how I solved two interesting challenges about Python Sandbox Bypass.

pysandbox — 339pts

pysandbox

As you see, this task is about two parts, each part is a challenge to bypass Python Sandbox.

pysandbox 1–161pts

Challenge: sandbox

Firstlly, let’s read and understand the given python script to know what is needed in this challenge:

We will input something, will be parsed by ast and will pass by eval function:

When the system check Call or Attribute in the expression, it will considered invalid because it’s blacklisted.

And we have comments:

And Attributes:

I compared between checked parts in Attributes and marked as not checked in Comments. Found that arguments in Lambda is not checked in Attributes and marked as checked in Comments, and Generators is not checked ListComp argument in Attributes and marked as checked in comments.

In comments:

In Attributes:

Based on this result let’s try to use Generators with eval function to bypass it!

Let’s connect into our given server and send it as our input:

Here is the final payload to show the flag:

submitting the first pysandbox’s flag

FLAG is: TWCTF{go_to_next_challenge_running_on_port_30002}

Seems that’s flag will help us to connect into second server, so if you did not bypassed the first python sandbox will not be able to bypass the second one just if you guess that the port of second python sandbox is 30002.

pysandbox 2–176pts

Challenge: sandbox

Let’s connect into server first:

second server connection

It required the flag of first python sandbox challenge to get the second python script, so you must solve the first challenge to solve the second challenge.

In order to get the script of second python sandbox you have to give the SHA512 of the first flag as shown above.

Here is the python script of second part:

If you read this script you will find that arguments in Lambda is not checked in Attributes and marked as checked in Comments, and slice is not checked Subscript argument in Attributes and marked as checked in comments.

In Comments:

In Attributes:

Based on this result let’s try to use slice with eval function to bypass it!

Let’s connect into our given server and send it as our input:

pwd
id
ls
cat flag2

Here is the final payload to show the flag:

submitting the second pysandbox’s flag

FLAG is: TWCTF{baby_sandb0x_escape_with_pythons}

It was a fun and educational challenge, i just got such a good points about how to escape python sandbox and get shell by exploitation of that issue.

I would to thanks all TokyoWesterns Team’s members for these good challenges and for the organization, and HackXore 337 Team’s members for sharing informations with me during CTF.

Actually, It was a good performance to me; the 56th place with 994 points with some missed challenges were almost done is not easy. I hope that will participate in the next version and to enjoy such a more fun and good challenges.

TokyoWesterns CTF 4th 2018 Challenges Board
HackXore 337’s Solved Challenges
TokyoWesterns CTF 4th 2018 Ranking Board

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Abdelkader Belcaid

Written by

I'm Bug Bounty Hunter & CTF Player

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade