miscfreeeasy

Locked Away

hackthebox

Task: Escape a Python jail with exec() that blacklists import, os, eval, open, quotes, and brackets. Solution: Call the open_chest() function (which reads the flag) by constructing the string "open_chest" using chr() concatenation and accessing it via globals().get() to avoid blocked quotes and brackets.

$ ls tags/ techniques/

python_jail pyjail sandbox_escape blacklist_bypass

chr_string_constructionglobals_get_bypass

$ cat /etc/rate-limit

Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.

Locked Away - HackTheBox

Description

"A test! Getting onto the team is one thing, but you must prove your skills to be chosen to represent the best of the best. They have given you the classic - a restricted environment, devoid of functionality, and it is up to you to see what you can do. Can you break open the chest? Do you have what it takes to bring humanity from the brink?"

Connection: nc 94.237.61.249 54149

Analysis

The challenge provides a Python jail where user input is executed via exec(), but with a blacklist filter.

Source Code (main.py)

banner = r'''
.____                  __              .___    _____                        
|    |    ____   ____ |  | __ ____   __| _/   /  _  \__  _  _______  ___.__.
|    |   /  _ \_/ ___\|  |/ // __ \ / __ |   /  /_\  \ \/ \/ /\__  \<   |  |
|    |__(  <_> )  \___|    <\  ___// /_/ |  /    |    \     /  / __ \\___  |
|_______ \____/ \___  >__|_ \\___  >____ |  \____|__  /\/\_/  (____  / ____|
        \/          \/     \/    \/     \/          \/             \/\/     
'''


def open_chest():
    with open('flag.txt', 'r') as f:
        print(f.read())


blacklist = [
    'import', 'os', 'sys', 'breakpoint',
    'flag', 'txt', 'read', 'eval', 'exec',
    'dir', 'print', 'subprocess', '[', ']',
    'echo', 'cat', '>', '<', '"', '\'', 'open'
]

print(banner)

while True:
    command = input('The chest lies waiting... ')

    if any(b in command for b in blacklist):
        print('Invalid command!')
        continue

    try:
        exec(command)
    except Exception:
        print('You have been locked away...')
        exit(1337)

Blacklist Analysis

...

$ grep --similar

Similar writeups

[misc][free]Broken Shell— hackthebox
[pwn][free]Execute (pwn_execute)— hackthebox
[misc][free]exponential— umdctf
[misc][free]build-a-builtin-revenge— b01lersc
[misc][free]rustjail— b01lersc