{"id":213,"date":"2019-01-17T04:45:59","date_gmt":"2019-01-17T04:45:59","guid":{"rendered":"https:\/\/mrjsec.co.uk\/blog\/?p=213"},"modified":"2019-01-17T04:46:06","modified_gmt":"2019-01-17T04:46:06","slug":"sugarplum-mary-python-escape-from-la-cranberry-pi-terminal","status":"publish","type":"post","link":"https:\/\/mrjsec.co.uk\/blog\/sugarplum-mary-python-escape-from-la-cranberry-pi-terminal\/","title":{"rendered":"
SugarPlum Mary – Python Escape from LA Cranberry Pi terminal<\/center>"},"content":{"rendered":"\n

As we speak to SugarPlum Mary, we find out she has somehow locked her terminal within a Python interpreter “Can you please help me by escaping from the Python interpreter?”<\/p>\n\n\n\n

Sounds simple enough, we need to escape python and run .\/i_escaped.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

So let’s “exit()” and get our badge!\u2026\u2026\u2026.. Well, It seems if we exit the terminal crashes and nothing happens. <\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

I also tried sys.exit(), quit(), and other Python interpreter commands to leave, sadly they all did the same thing, that was crashing.<\/p>\n\n\n\n

New plan of action, so the goal is to escape python and run .\/i_escaped. So why don’t we “cheat” and run i_escaped from within the Python interpreter ;)\u2026 I’m sure SugarPlum Mary won’t notice! <\/p>\n\n\n\n

However, now we have new issues, and that is some commands are filtered, for example, I can’t use “import” and other such stuff.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Let’s look at the hint given by SugarPlum Mary “Check out Mark Baggett’s talk upstairs” Or you can find it on YouTube Here.<\/p>\n\n\n\n

In the video Mark Baggett, explains about many methods of escaping python from within the shell, the part that works for me is “evel” which is at 8:37<\/a> within the video, However, I would HIGHLY recommend watching the whole video, in fact, I urge you to view all the KringleCon talks on there YouTube! (It’s great stuff).<\/p>\n\n\n\n

Following the video, it still seems it’s getting filtered, but it’s only filtering words, i.e. “os” “system” and so on.
<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

But what if we change them exmaple os becomes os1.<\/p>\n\n\n\n

os1 = eval('__im' + 'port__(\"os\")')<\/code><\/pre>\n\n\n\n
Now if we use os1 and not os and some magic(well not really)! We get our commands working outside of the filtering!<\/p>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
Now I can use the newest os1 to run commands and bypass the filter, using “os1.listdir” here to find where the i_escaped located.<\/p>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
And now we just need to run .\/i_escaped to complete this challenge.
\n<\/p>\n\n\n\n
os1.system(\"\/home\/elf\/.\/i_escaped\")<\/code><\/pre>\n\n\n\n
So that’s it, another one completed!<\/p>\n\n\n\n
The funny thing is, once you run i_escaped, you get told you have completed this challenge. However, you’re still in the Python interpreter, ah SugarPlum Mary no hating please, you know I love you\u2026 However, my job here done. Maybe you could try turning it off and on again SugarPlum Mary!<\/p>\n\n\n\n
References:
 https:\/\/www.youtube.com\/watch?v=ZVx2Sxl3B9c
<\/p>\n","protected":false},"excerpt":{"rendered":"
As we speak to SugarPlum Mary, we find out she has somehow locked her terminal within a Python interpreter “Can you please help me by escaping from the Python interpreter?” Sounds simple enough, we need…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[10],"tags":[13,14,12],"class_list":["post-213","post","type-post","status-publish","format-standard","hentry","category-kringlecon-2018","tag-13","tag-ctf","tag-kringlecon"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/paD3U6-3r","_links":{"self":[{"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/posts\/213","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=213"}],"version-history":[{"count":1,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/posts\/213\/revisions"}],"predecessor-version":[{"id":221,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/posts\/213\/revisions\/221"}],"wp:attachment":[{"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=213"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=213"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=213"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}