 Hello everybody and welcome back to the YouTube video. My name is John Hammond. We're still looking at the Kaizen CTF Checking out the Maryland competition the capture the flag game that was going on last weekend on Friday And I want to show off this last challenge for you Pickle Deets There's only exploitation ones It was a challenge that I did not solve during the competition and I'm still very very sour about it because I I know that I could have solved it and I know I should have solved it and it Honestly is a difference between what put us in second place and what could have had us in first place now the competition is over I have finally solved it and Check it out on the scoreboard. That's currently what puts us at the very top But again, it's it's the competition has ended the competition is over. So whatever. I still want to show it off You guys Pickle beats Showing off some of the Python Pickle library So the challenge here is I'm a big fan of beats So my next an application so people could send me their best beats read the file called flag in the directory The server is stored in so it gives us I did end up using the hint at the very end of the of the competition Even though it told me everything I already knew. Yeah, it's the Pickle module It's not very secure originally the challenge was only a hundred points, but it's only took away 10 points So even if we had it use the hint We still would have jumped up to first place like I currently am in now quote-on-quote Although the competition is over. We finished in second place. So whatever I'll download this and we can take a look at it I can show you the source code for what's running on the server We'll create a new directory called Pickle beats Go ahead and save it jump over to our terminal here move back into Pickle beats on zip it here and Now we've got this server dot Python file. Oh, sorry server dot pi and it Uses Pickle base 64 and sys and it creates this object for us The class and says welcome my beat receiver. I'm on a quest to find the best beats in the world Send me your best beats when you're ready So it takes in our input and it base 64 decodes it and that turns that into a object by Unloading or load string of that beat it looks like Pickle the Pickle module in in Python Can like serialize a Python object and create Python data. So he says thanks for your beat. Here's the name It sounds delicious. So it does end up using the object that we give it so we can take advantage of this I'll show off the Python Pickle object if you haven't heard of it before but you've you may have seen me use it in Like some of the Python challenge stuff like that. There's a lot of documentation on it and they do say Do not trust any Pickle that you have seen before it because it can Contain malicious code that can run arbitrary Python code or anything else Again, it even goes through that in the documentation It says it's not really secure against maliciously constructed data Never trust or unpickled data from an untrusted or authenticated source So that's what we can take advantage of and honestly I should have been able to do it during the competition Because I totally know how to exploit it But I didn't get it in the right syntax of the right form if you do a little bit of a googling for Pickle Python stuff There's a big vlog that's even the answers right here It explains that you can use the Python Pickle serialization library and create an object that will just run any code you want In our case we can just say Create an object that will run like, you know a shell run bash or sh Once the Python object is been created or reduce and it'll just return that shell for us And they even use that base 64 in code Option so we can literally just copy this code and change it to just say cat flag or get the flag From the directory because we can have it run arbitrary code just like this. So I'll copy this Literally just copy this code. You don't have to use C Pickle. It's just a C rendition of it But we can use this as our exploit dot pi And it all will already base 64 and code it for us We don't have to write it all out for us and it just creates an object blah, blah, blah Let's just change the argument that it passes in the process command that Creates and gives to sub process. We'll have it be cat and Flag will be the argument that we pass to it. So now when we run this we get this base 64 string Which we can go ahead and connect to the server with So they've got this net cat connection here We'll go over there and Our base 64 string right now should cat the flag for us Which it does and it gets us this right here. So that's it That's the exploit honestly and that then there's your flag You can make this do whatever you want keep in mind because now you have like remote code execution I wonder what's in etc password. Can we read it? Will it work for us? Etc. Take a look get this base 64 code. I don't know if it'll be returned for us or not Experiment might as well and there we go. We get an etc password file. So that's the thing don't ever trust pickles and Python And that's how you would end up exploiting it when you create an object with Pickled data their server code just loads it and Works with it we can take advantage of it not even worrying about this name variable when I was running when I was doing this in the Competition I got so tripped up on like how am I going to be able to get named to evaluate into something? You don't even have to worry about name. You can just use that reduce Special function or like inherent function and module and method within any Python object And once there is any notion of this object Once it's ever created it runs this and you'll be able to work with whatever you want. So That's awesome. It's really cool But I'm bummed and still sour a little bitter that I wasn't able to get it during the game But I get it now and I feel like I learned something really cool with it Thanks for watching guys. Hope you enjoyed this and I'll see you in a later video