It's been long time that I haven't played CTF for a long time but this time I could spare few minutes to play this CTF. I was able to solve one easy challenge about python escape which I find very interesting category.
The challenge name was `Baby's First Pyjail` which was an easy pyjail challenge which I made very difficult because of overcomplicating things.
We were given a host and when connected we were presented a python shell, I tried around and poked a little to get idea about the challenge where I discovered that there was a blacklist which checked certain characters in our user input.
I tried dumping the blacklist by using globals and saw blacklist which is a global variable consisted of the following blacklist.
['import', 'exec', 'eval', 'os', 'open', 'read', 'system', 'module', 'write', '.']
I had some intution on how this could be solved since I had pleasure reading the blog on pyjail escapes which I recommend everyone to read. You can find the blog here.
I could not find what exact payload I used to solve this challenge (thanks to my management skills) but the idea was to bypass the dot (.) restriction by using getattr and string concatenation to bypass keyword restrictions.
Reading other Writeup I realized I made it more difficult than it was, we could have just reset the blacklist by reinitializing the blacklist variable to an empty list and then we could have imported os and then used os.system to get the flag.