On level17 we have a python script listening on port 10007. In order to solve this challenge we’ll have to connect to this port and provide some input.
What you’ll need to know…
Looking at the code, we can identify one module, known to be vulnerable. On top of that, it accepts input from the user, so it’s probably a good place to start testing.
Before we actually start doing something, take a look at the documentation of pickle module. It allows to serialize and de-serialize Python structures.
Let’s run an example.
If we execute this python script, it’ll produce a file, pickled.
Now, let’s feed the main python script this file.
This pickle module was new for me, so I did some research and end up finding a BlackHat presentation by Marco Slaviero. I’ll use his technique to solve challenge level17.
Like the previous exercise, I’ll take advantage of this vulnerability to compile a SUID program. Let’s take a peek my pickled file.
Simple. Now it’s just a matter of feeding this file to the program running on port 10007. For this, use
nc 127.0.0.1 10007 < pickled. Exit and list the files under
/home/flag17, where you’ll see the following files.
Run the SUID program and collect the flag
One more, two left.
Challenges completed: 18/20
The easiest way to solve this problem is not using pickle at all. But I believe that in some cases this will be a half measure, because the main problem is the source of the data. So, as suggested in the previous articles, always sanitize input, don’t trust any source.