Lab 13 — WebForge — Insecure Deserialization in Config Import

hackadvisor

Task: Flask DevOps platform with config import/export using Python pickle serialization. Solution: Craft malicious pickle payload with __reduce__ method to achieve RCE and read /tmp/flag.txt.

flask rce python base64 pickle deserialization honeypot config_import

insecure_pickle_deserializationrce_via_reduce_methodbase64_payload_injectionpython_eval_execution

$ ls tags/ techniques/

flask rce python base64 pickle deserialization honeypot config_import

insecure_pickle_deserializationrce_via_reduce_methodbase64_payload_injectionpython_eval_execution

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 168 — MetricFlow — Insecure Deserialization via Dashboard Import— hackadvisor
[web][Pro]Lab 116 — InsightForge — IDOR via Undocumented Internal API— hackadvisor
[web][Pro]Lab 127 — PulseMetric — Insecure Deserialization via Pickle in Agent Report API— hackadvisor
[web][Pro]TeamForge — IDOR to Owner Account Takeover via Weak Passwords— hackadvisor
[web][Pro]Lab 205 — DockForge — SSRF in Webhook Test Endpoint— hackadvisor