webPromedium

Lab 127 — PulseMetric — Insecure Deserialization via Pickle in Agent Report API

hackadvisor

Task: Server monitoring platform with Agent Report API that deserializes base64-encoded pickle data from report_data field. Decoy flags in HTML comments. Solution: Craft malicious pickle payload using __reduce__ method to execute arbitrary commands, base64-encode it, and send via POST /api/agent-report to achieve RCE and read /root/flag.txt.

$ ls tags/ techniques/

flask rce python base64 pickle deserialization api honeypot_flag monitoring agent_report

base64_payload_encodingpickle_deserialization_rcedecoy_flag_avoidancereduce_method_exploitationapi_key_authentication

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 315 — PulseMetrics — SSRF Chain to SSTI via Internal Services— hackadvisor
[web][Pro]Lab 13 — WebForge — Insecure Deserialization in Config Import— hackadvisor
[web][Pro]Lab 36 — PulseBoard — Prototype Pollution to RCE via EJS— hackadvisor
[web][Pro]PulseOps — Insecure Deserialization in Config Import— hackadvisor
[web][Pro]Lab 326 — PulseBoard — NoSQL Injection in Authentication— hackadvisor