Skip to content

Nebula Level17: A Newbie’s Approach

On level17 we have a python script listening on port 10007. In order to solve this challenge we’ll have to connect to this port and provide some input.

What you’ll need to know…

  • Python

Level17

Looking at the code, we can identify one module, known to be vulnerable. On top of that, it accepts input from the user, so it’s probably a good place to start testing.

Before we actually start doing something, take a look at the documentation of pickle module. It allows to serialize and de-serialize Python structures.
Let’s run an example.

Example

If we execute this python script, it’ll produce a file, pickled.

Files
pickled
Contents of pickled

Now, let’s feed the main python script this file.

Test

This pickle module was new for me, so I did some research and end up finding a BlackHat presentation by Marco Slaviero. I’ll use his technique to solve challenge level17.

Like the previous exercise, I’ll take advantage of this vulnerability to compile a SUID program. Let’s take a peek my pickled file.

pickled_malicious

Simple. Now it’s just a matter of feeding this file to the program running on port 10007. For this, use nc 127.0.0.1 10007 < pickled. Exit and list the files under /home/flag17, where you’ll see the following files.

Files_flag17

Run the SUID program and collect the flag 🙂

Result level17

One more, two left.

Challenges completed: 18/20

Mitigation

The easiest way to solve this problem is not using pickle at all. But I believe that in some cases this will be a half measure, because the main problem is the source of the data. So, as suggested in the previous articles, always sanitize input, don’t trust any source.

Walkthrough

https://www.youtube.com/watch?v=tC7e9jySIk4=02m56s

Further Reading

Published inNebulaUncategorized