March 14, 2019

Python Escape from LA Cranberry Pi terminal challenge

Hint Challenge @ The 2018 SANS Holiday Hack Challenge [ Kringlecon ]

CTF Writeup

📍 SugarPlum Mary at 2nd floor go left from the stairs you will find him at your right.

Hi, I’m Sugarplum Mary.

I’m glad you’re here; my terminal is trapped inside a python! Or maybe my python is trapped inside a terminal?

Can you please help me by escaping from the Python interpreter?


Python Escape > Check out Mark Baggett’s talk upstairs


1- Watch Mark Baggett’s talk about python escape :

2- First we to find and test methods available to escape python then import the os module, We have four method to escape python mentioned in the talk :

{import , eval , exec , compile }

if we tested each one you will find {import , exec , compile} are restricted and only {eval} are allowed .


3- Let’s shape our command using eval :

os =eval(‘__imp’+’ort__(“os”)’)

4- Then we need to run ./i_escaped function inside the module using os.system :

if you test os.system you will find it’s restricted :


5- We have to use {eval} again to escape python restrictions :




Yay, you did it! You escaped from the Python!

As a token of my gratitude, I would like to share a rumor I had heard about Santa’s new web-based packet analyzer - Packalyzer.

Another elf told me that Packalyzer was rushed and deployed with development code sitting in the web root.

Apparently, he found this out by looking at HTML comments left behind and was able to grab the server-side source code.

There was suspicious-looking development code using environment variables to store SSL keys and open up directories.

This elf then told me that manipulating values in the URL gave back weird and descriptive errors.

I’m hoping these errors can’t be used to compromise SSL on the website and steal logins.

On a tooootally unrelated note, have you seen the HTTP2 talk at at KringleCon by the Chrises? I never knew HTTP2 was so different!


HTTP/2.0 Intro and Decryption

Did you see Chris’ & Chris’ talk on HTTP/2.0?