1 of 18

Psi Beta Rho Practice #1

Winter Quarter 2023 - Week 2

2 of 18

PBR’s got spirit!!!

3 of 18

📣General Announcements 📣

  • PBR Practices
    • Tuesday 6-8 pm
    • Sign Up: https://forms.gle/CkFDHYMNSG3jrZcg6
  • Cyber Winter GM
    • Tomorrow (1/18)
  • Cyber Academy Track: Web Hacking
    • Intro to Web Hacking (1/25)
  • Cyber Special Topics Track
    • AI Security (1/26)
  • Cyber Social
    • Location TBD (1/27)

4 of 18

👏Welcome back!👏

  • Schedule
    • https://bit.ly/PBRW2023
  • Guest Speaker
    • Harrison Green, DiceGang reverser (https://twitter.com/hgarrereyn)
  • UC Scrimmage
    • Huge collab with UCSD, UCD, UCI, UCR, UCM, … and much more!!!
  • Writeups
    • Only one required for the quarter. Preferably from a CTF we have attended but any is fine. Due date is last practice of the quarter.

5 of 18

⛳️CTFs⛳️

  • bi0sCTF 2023 (this weekend)
  • (optional) DiceCTF 2023
  • LA CTF 2023 (Week 5)
    • https://lactf.uclaacm.com/
    • We need volunteers!!!
  • pbctf 2023 (Week 6)
  • TBD CTF
    • Finding CTFs is hard. :(

6 of 18

🔨Projects🔨

  • Need some help coordinating projects so if you are interested in taking a bigger role in leading some of these projects, let me know.
  • **PBR Website
  • Attack-Defense Lab
  • Discord Bot

7 of 18

💪New Practice Style💪

  • PBR rah!
  • Short talks from a PBR Team Captain
  • Get to focus in topic focus practice groups every week
  • Allows people to explore topic more in depth

web

rev/pwn

crypto

Benson & Jason

Alec & Andrew

Gary & Joshua

8 of 18

Practice Focus:

Pyjails

Presented by Jason

9 of 18

What is a pyjail?

  • Python jail
  • You have a program that filters your input then tries to eval it

10 of 18

Real World Uses for Pyjails

11 of 18

Why You Should Learn Pyjails Anyway

  • Fun
  • Teaches you Python internals that no one cares about
  • Makes you a better(?) Python programmer

12 of 18

Pyjail Basics

  • __import__ allows you to import modules even though eval doesn't normally let you, for example __import__("math").sqrt(4)
  • You can use open to read a file, for example open("flag.txt", "r").read()
  • Calling breakpoint() then using the "interact" command is an easy way to get an unrestricted Python REPL
  • You can also run __import__("os").system("sh") to get a shell

13 of 18

"Standard" Pyjail: No Builtins

14 of 18

Regaining Builtins

().__class__.__base__.__subclasses__()[-1].__init__.__globals__["__builtins__"]["breakpoint"]()

().__class__ -> tuple

tuple.__base__ -> object

object.__subclasses__() -> a list of every type

[-1] -> explained on next slide

cls.__init__ -> constructor

func.__globals__ -> globals for that function

__builtins__ is a global

hooray you got builtins again!

15 of 18

Why object.__subclasses__()[-1]

The __globals__ property will only exist on functions written in Python

This seems like a silly thing to mention until you consider that most of the builtins are written in C

Subclasses are listed in import order, so the ones at the start are all written in C

16 of 18

Most Important Thing

  • Pyjails are all about doing research
  • There won't be one trick that'll solve every pyjail
  • Official documentation
  • PEPs (these are for language features)
  • Reading cpython source code

17 of 18

Fun Challenge

Treebox from GoogleCTF 2022: https://gist.github.com/Aplet123/59d23849f7cbbcffcb0d795129b2b00b

Writeup: https://ur4ndom.dev/posts/2022-07-04-gctf-treebox/

Or, try doing the standard pyjail but without using single or double quotes

18 of 18

Thanks for coming! :)