 Hey, how's it going everybody? My name is John Hammond and again I want to show you a another challenge for the Google CTF that was going on this past weekend this time I want to show you the spotted a qual I think that's the name of the challenge spotted qual. Yeah Again another pretty simple challenge only 50 points a lot of people solved it Again, here's a challenge prompt this blog on zombie research looks like it might be interesting Can you break into the admin section? I've already solved this, but that's okay. Let's see what we can do It looks like just a simple apparently blog Doesn't have any content literally nothing here other than apparently an admin page and you can see it over the top right of the navigation There's an admin section. It doesn't bring me anywhere, but I see that my URL changes To error user not found you might not be able to see that But I see it And that might tip you off to something so obviously it being a web challenge to my kind of need your reaction And gut thing to do is take a look at the cookies. So we'll fire up our cookie manager again You can download it from Firefox admins if you don't already have it So we'll get that tool going I'm gonna verify that I'm okay. I'm looking at spotted a qual CTF competition So I'll look for that as my cookies and I see one cookie obsolete pickle and It looks like a string here that kind of looks like a base 64 thing So let's poke at that and let's see what it actually is if I fire up idle Hopefully you guys can see this it might be better to do this in sublime text Can you see it here? I'll just try and amp up the size Here I go again doing things I didn't prepare for my bad everybody. I'm sorry Wow configuring idle is apparently a no-go. I've literally frozen idle right now at least mouse clicking wise I can no longer touch the menu. So it's a bad idea all around Let's get some lime text up. Let's do it in here I'll just probably create a get flag script while we're doing this then spotted qual complete Just give it a nickname so we don't have to Call that much now if we print this out whoa, it looks like a bunch of Weird things Python pickles subtle hints user oh, okay huh That's very clearly a Python pickle Especially considering the cookie was called obsolete pickle. Do you guys know what that is? If you don't totally recommend doing some reading It's a way you can kind of Serialize or kind of compact data That's really funny But yeah, Python pickle object serialization So we can work with it though. We can actually check out what that thing really is all import pickle and then Say P equals this print pickle thought is it loads? Is that right? Okay, yeah, so this is actually just a Python dictionary, right and Python pickles subtle hints Haha, and the user is not Okay, if the user is none and the error that we were seeing earlier was that error user not found Can we set our user to be the admin? Let's try that This this is just a dictionary So let's say Hours I guess we can call us whatever we want. Let's say our user is the admin, right? So It's the cookie was base 64 encoded from a pickled string. So what we want to do is we want to can we Pickle that data pickle dot loads hours Now loads is referring to you like load string. I guess I'll just call this oh print. Oh, I feel like that's wrong Okay, yeah, it must be it must be like dumps or something. Yeah, okay, cool so dumps will take it the data as The actual data and then we'll convert it to a pickle once we call pickle dump string so now we have it as A pickle and let's go ahead and base 64 encode this beat up B64 encode That oh File and does that work for us? Yeah, okay, sweet. It does And don't forget the equals on at the end. It looks like it did add that padding there If we all go into a cookie manager Can we change this? To this save it close Now if I go to admin, hey, hey, hey cool. We get our flag Sweet let's automate that what we want to do is say cookie and Let's get requests and already Requests s equals requests dot session you guys know the deal you know how to do all this But I'll just run through it for principalities sake Keys dot update Well, then the cookie was called obsolete pickle right obsolete admin page You are a verify verify verify verify equals false I do that to avoid the SSL thing if you didn't see it happen in the other video Print our text do we get it? yet we do and Then match equals re search The pattern is CTF Call this content. Okay, cool. There's our flag. Oh, let's remove that uh That secure warning I just this is like boilerplate code that I stole off the internet It looks like it'll just hide requests weird warning. So that's fine. Okay, so cool We just get our flag as the output to our get flag script And we're done simple challenge Again just changing cookie values and seeing what they really are and do etc. Etc. But Python pickle module is a cool thing to know if you don't already Because you can store data in that and it's I guess commonly used in CTF You can do a lot of danger with this pickle module on Python So yeah, that's it. We got our CTF flag another simple challenge, but I figured I'd show it off to you I hope you guys enjoyed it and I'll see you again in another Google CTF video. Thanks guys Bye