webPromedium
Lab 362 — LogPulse — Insecure Deserialization via Pickle Session Cookie
hackadvisor
Task: Django log-aggregation app using signed_cookies sessions with PickleSerializer; goal is to read /root/flag.txt. Solution: leak SECRET_KEY from a /debug/config endpoint (disclosed in robots.txt), forge a pickle session cookie with django.core.signing.dumps and a custom PickleSerializer, achieve RCE via __reduce__/os.system, copy the flag to /tmp/.logpulse_broadcast which the dashboard reflects.
$ ls tags/ techniques/
pickle_deserialization_rce_via_reducesecret_key_leak_via_debug_endpointrobots_txt_disclosuredjango_signed_cookie_forgeryfile_write_reflection_to_dashboard_broadcastcookie_built_with_django_signing_dumps
🔒
Permission denied (requires tier.pro)
Sign in to access full writeups
Sign in with GitHub to continue. No email required.
$sign in$ grep --similar
Similar writeups
- [web][Pro]Lab 63 — DataPulse — Insecure Deserialization via Preferences Cookie— hackadvisor
- [web][Pro]Lab 127 — PulseMetric — Insecure Deserialization via Pickle in Agent Report API— hackadvisor
- [web][Pro]Lab 379 — CrawlBase — Stored XSS to SSRF to Pickle Deserialization RCE— hackadvisor
- [web][Pro]Lab 13 — WebForge — Insecure Deserialization in Config Import— hackadvisor
- [web][free]SecretPickle— gpnctf