Pickle Rick
Hard
X
X
Description
Rick has turned himself into a pickle, can you find him before its too late...
File is temporarily hosted at https://drive.google.com/file/d/1ZULGK4p7cJQHNabmDHdtki-g1xNfHu0f
MD5: ba83987433851f2101f846e89b9b99f6 SHA256: 1dd4388022be3946a72dd3fcf2603896396a8574d5dbe214f9ecf1b0a8b2db92
Password: &y9PBYf8gZ^996s9
I will suggest giving participants link to download the file before the CTF start, and only release the password after the CTF started.
Solution
sql injection bypassing blacklist
Python insecure desirialization with the pickle modules for RCE
sample payload
Binary with the SUID bit in opt director
/opt/clean_pickle.sh
Running sudo -l shows the user is able to run sudo on /opt/clean_pickle.sh
with SETENV
AND NOPASSWD
Exploit script
Pivoting to AWS Cloud
In /root/.aws/credentials
there is a clear text IAM Creds for AWS cloud. Enumerate the perms and list the s3 files.
Get flag :D
Flag
LNC2023{1m_p1ckl3_r1111ck}
Last updated