Last updated
Was this helpful?
Last updated
Was this helpful?
These are some tricks to bypass python sandbox protections and execute arbitrary commands.
The first thing you need to know is if you can directly execute code with some already imported library, or if you could import any of these libraries:
Remember that the open and read functions can be useful to read files inside the python sandbox and to write some code that you could execute to bypass the sandbox.
Python2 input() function allows to execute python code before the program crashes.
Python try to load libraries from the current directory first (the following command will print where is python loading modules from): python3 -c 'import sys; print(sys.path)'
If you have access to pip or to pip.main() you can install an arbitrary package and obtain a reverse shell calling:
You can download the package to create the reverse shell here. Please, note that before using it you should decompress it, change the setup.py, and put your IP for the reverse shell:
This is really interesting if some characters are forbidden because you can use the hex/octal/B64 representation to bypass the restriction:
In a previous example you can see how to execute any python code using the compile function. This is really interesting because you can execute whole scripts with loops and everything in a one liner (and we could do the same using exec).
Anyway, sometimes it could be useful to create a compiled object in a local machine and execute it in the CTF (for example because we don't have the compile function in the CTF).
For example, let's compile and execute manually a function that reads ./poc.py:
If you cannot access eval or exec you could create a proper function, but calling it directly is usually going to fail with: constructor not accessible in restricted mode. So you need a function not in the restricted environment call this function.
If you can access to the__builtins__ object you can import libraries (notice that you could also use here other string representation showed in last section):
When you don't have __builtins__ you are not going to be able to import anything nor even read or write files as all the global functions (like open, import, print...) aren't loaded.
However, by default python import a lot of modules in memory. This modules may seem benign, but some of them are also importing dangerous functionalities inside of them that can be accessed to gain even arbitrary code execution.
In the following examples you can observe how to abuse some of this "benign" modules loaded to access dangerous functionalities inside of them.
Python2
Checking the globals and locals is a good way to know what you can access.
Here I want to explain how to easily discover more dangerous functionalities loaded and propose more reliable exploits.
One of the most sensitive parts of this technique is to be able to access the base subclasses. In the previous examples this was done using ''.__class__.__base__.__subclasses__() but there are other possible ways:
For example, knowing that with the library sys it's possible to import arbitrary libraries, you can search for all the modules loaded that have imported sys inside of them:
There are a lot, and we just need one to execute commands:
We can do the same thing with other libraries that we know can be used to execute commands:
Moreover, we could even search which modules are loading malicious libraries:
Moreover, if you think other libraries may be able to invoke functions to execute commands, we can also filter by functions names inside the possible libraries:
In some CTFs you could be provided the name of a custom function where the flag resides and you need to see the internals of the function to extract it.
This is the function to inspect:
__globals__ and func_globals(Same) Obtains the global environment. In the example you can see some imported modules, some global variables and their content declared:
__code__ and func_code: You can access this to obtain some internal data of the function
Disassembly a function
Notice that if you cannot import dis in the python sandbox you can obtain the bytecode of the function (get_flag.func_code.co_code) and disassemble it locally. You won't see the content of the variables being loaded (LOAD_CONST) but you can guess them from (get_flag.func_code.co_consts) because LOAD_CONSTalso tells the offset of the variable being loaded.
****
You can find a list of pre-installed packages here: Note that from a pickle you can make the python env import arbitrary libraries installed in the system. For example the following pickle, when loaded, is going to import the pip library to use it:
For more information about how does pickle works check this:
Using tools like one can decompile given compiled python code