As we speak to SugarPlum Mary, we find out she has somehow locked her terminal within a Python interpreter “Can you please help me by escaping from the Python interpreter?”
Sounds simple enough, we need to escape python and run ./i_escaped.
So let’s “exit()” and get our badge!……….. Well, It seems if we exit the terminal crashes and nothing happens.
I also tried sys.exit(), quit(), and other Python interpreter commands to leave, sadly they all did the same thing, that was crashing.
New plan of action, so the goal is to escape python and run ./i_escaped. So why don’t we “cheat” and run i_escaped from within the Python interpreter ;)… I’m sure SugarPlum Mary won’t notice!
However, now we have new issues, and that is some commands are filtered, for example, I can’t use “import” and other such stuff.
Let’s look at the hint given by SugarPlum Mary “Check out Mark Baggett’s talk upstairs” Or you can find it on YouTube Here.
In the video Mark Baggett, explains about many methods of escaping python from within the shell, the part that works for me is “evel” which is at 8:37 within the video, However, I would HIGHLY recommend watching the whole video, in fact, I urge you to view all the KringleCon talks on there YouTube! (It’s great stuff).
Following the video, it still seems it’s getting filtered, but it’s only filtering words, i.e. “os” “system” and so on.
But what if we change them exmaple os becomes os1.
os1 = eval('__im' + 'port__("os")')Now if we use os1 and not os and some magic(well not really)! We get our commands working outside of the filtering!
Now I can use the newest os1 to run commands and bypass the filter, using “os1.listdir” here to find where the i_escaped located.
And now we just need to run ./i_escaped to complete this challenge.
os1.system("/home/elf/./i_escaped")So that’s it, another one completed!
The funny thing is, once you run i_escaped, you get told you have completed this challenge. However, you’re still in the Python interpreter, ah SugarPlum Mary no hating please, you know I love you… However, my job here done. Maybe you could try turning it off and on again SugarPlum Mary!
References:
https://www.youtube.com/watch?v=ZVx2Sxl3B9c