On level17 we have a python script listening on port 10007. In order to solve this challenge we’ll have to connect to this port and provide some input.
What you’ll need to know…
- Python
Level17
Looking at the code, we can identify one module, known to be vulnerable. On top of that, it accepts input from the user, so it’s probably a good place to start testing.
Before we actually start doing something, take a look at the documentation of pickle module. It allows to serialize and de-serialize Python structures.
Let’s run an example.
If we execute this python script, it’ll produce a file, pickled.
Now, let’s feed the main python script this file.
This pickle module was new for me, so I did some research and end up finding a BlackHat presentation by Marco Slaviero. I’ll use his technique to solve challenge level17.
Like the previous exercise, I’ll take advantage of this vulnerability to compile a SUID program. Let’s take a peek my pickled file.
Simple. Now it’s just a matter of feeding this file to the program running on port 10007. For this, use nc 127.0.0.1 10007 < pickled. Exit and list the files under /home/flag17, where you’ll see the following files.
Run the SUID program and collect the flag 
One more, two left.
Challenges completed: 18/20
Mitigation
The easiest way to solve this problem is not using pickle at all. But I believe that in some cases this will be a half measure, because the main problem is the source of the data. So, as suggested in the previous articles, always sanitize input, don’t trust any source.