Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Plone is a Python based CMS system that has been around since 2002. Zope is used to closely control what a theme author is allowed to execute within a python expressions, which is ran in a RestrictedPython library. Using this, globally available functions can be overwritten or restricted easily.

Because imports in Python are weird, using the random module it was easy to reference the OS module! This was done with the following code random._os.system("<code>"). But, using underscores (_) is not allowed.

It turned out that this restriction (no underscores) was not done on some of the functionality. By using the previous payload with this other function, it was possible to run arbitrary OS commands.

Sandbox escapes are difficult and require an amazing amount of insight into how the application works. This is a wonderful example of a restricted sandbox escape.