Tags: flask coredump pwn 

Rating: 5.0

- `/dump/` will let you take full coredump of current flask app
- analyze the coredump to get `app.secret_key`, use that to forge an admin cookie
- upload a malicious tar file that contains a symlink to root `/` directory, this will let you have system wide access of files
- browse to `/proc/[pid]/cmdline`, there's a ssh-agent runnning and there is `/home/alice/.ssh/` which contains ssh key
- gain a footing to RCE by overwriting `__free_hook` to `system`, this will basically execute everyline on what you send through the HTTP request
- `sudo -l` gave you info, that we can run `sudo gcore` w/o password, take a full coredump of `ssh-agent`
- analyze the coredump of ssh-agent, and recover the RSA prime parameters
- use the recovered RSA private key to ssh into root

full article [https://circleous.blogspot.com/2021/04/why.html](https://circleous.blogspot.com/2021/04/why.html)

Original writeup (https://circleous.blogspot.com/2021/04/why.html).