webPromedium

Lab 168 — MetricFlow — Insecure Deserialization via Dashboard Import

hackadvisor

Task: Flask analytics platform imports dashboard configs in .mfx format (base64-encoded pickle) via POST /dashboards/import without validation. Solution: craft malicious pickle with __reduce__ returning eval() that executes subprocess.check_output() and wraps output in a dict matching expected schema; flag appears in dashboard name via flash message.

$ ls tags/ techniques/

flask rce python base64 pickle deserialization honeypot_flag dashboard_import mfx_format analytics_platform

base64_payload_encodinginsecure_pickle_deserializationrce_via_reduce_methodpython_eval_executiondecoy_flag_avoidancedict_format_matching

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]MetricFlow— hackadvisor
[web][Pro]MetricFlow — DOM XSS via Prototype Pollution Gadget— hackadvisor
[web][Pro]MetricFlow— hackadvisor
[web][Pro]Lab 13 — WebForge — Insecure Deserialization in Config Import— hackadvisor
[web][Pro]Lab 127 — PulseMetric — Insecure Deserialization via Pickle in Agent Report API— hackadvisor