siunam's Website

My personal website

Home About Blog Writeups Projects E-Portfolio


Table of Contents

  1. Overview
  2. Background
  3. Find The Flag
  4. Conclusion



I accidentally set my system shell to the Python help() function! Help!!

The flag is at /home/ductf/flag.txt.

The password for the ductf user is ductf.

Author: hashkitten

ssh -p30022

Find The Flag

In this challenge, we can SSH into the challenge instance:

└> ssh -p30022's password: 
Welcome to Python 3.10's help utility!

If this is your first time using Python, you should definitely check out
the tutorial on the internet at

Enter the name of any module, keyword, or topic to get help on writing
Python programs and using Python modules.  To quit this help utility and
return to the interpreter, just type "quit".

To get a list of available modules, keywords, symbols, or topics, type
"modules", "keywords", "symbols", or "topics".  Each module also comes
with a one-line summary of what it does; to list the modules whose name
or summary contain a given string such as "spam", type "modules spam".


As expected, our shell became Python’s help() function.

According to Python built-in function help() documentation, this function will display a given module’s details.

Let’s say I wanna view os module details:

help> os
Help on module os:

    os - OS routines for NT or Posix depending on what system we're on.

    The following documentation is automatically generated from the Python
    source files.  It may be incomplete, incorrect or include features that
    are considered implementation detail and may vary between Python
    implementations.  When in doubt, consult the module reference at the
    location listed above.

    This exports:
      - all functions from posix or nt, e.g. unlink, stat, etc.
      - os.path is either posixpath or ntpath
      - is either 'posix' or 'nt'
      - os.curdir is a string representing the current directory (always '.')
      - os.pardir is a string representing the parent directory (always '..')

Wait… What’s that interactive shell? Is that less shell?

According to GTFOBins, we can read arbitrary files via :e command:

Let’s read the flag!

Examine: /home/ductf/flag.txt
/home/ductf/flag.txt (file 2 of 2) (END)


What we’ve learned:

  1. Python built-in function help() shell escape