B’omarr Style, WEB 200 pti
In this challenge we have to exploit a kid path traversal vulnerability in order to be able to modify and sign our jwt-token and gain RCE via pickle serialization.
- The application let us create a user and login.
- If the login is successful the application give use a jwt token, let’s analyze the header of the token
- As we can see the
algfield tell us that the algorithm used to sign the cookie is
HS256(stand for hash-sha256)
kid(key identifier) parameter, which the purpose should be to identify a specific key in a set of keys, seems to point to a file named
- Analyze of the payload part of the token
That is tricky since usually the payload part of a token contains a json, instead in this case seems it contains some unreadable characters and for sure is not a valid json. Anyway we can still recognize some words inside it, for example the username used to login and the role.
Let’s see which bytes we have in this payload part:
Seems reasonable to search for python related stuff since the response coming from the server contains the header
Server: Werkzeug/1.0.1 Python/3.6.9, that tell us which back-end is used.
If we search for
python serialized data example, we can found some resource and notice that the pattern of a serialized python object has the same pattern of our jwt-payload, then we can assume that this is the case.
The general idea is to tamper the
kidfield in order to force the web-application to verify the signature using a file with a well known contents, in this way we have the control over the key used by the web-application. If we have the ability to craft the cookie, then we can gain RCE by modify the payload part with our malicious python object.
To do that I build a python script. In this script you can see that I picked up the
/proc/sys/kernel/randomize_va_spacefile which should be present on every modern linux systems and his contents (by default) is
$ cat /proc/sys/kernel/randomize_va_space | xxd 00000000: 320a 2.
I exploited the RCE using blind-time-based technique to extract the flag.txt contents, but reading other writeup I notice that I can use a python reverse shell payload to get a shell on the server.