Below you can find my solution for Postboard task from BlazeCTF 2016.
Proof of Concept:
We got ELF file. After checking it in disassembler it seems to be Python to ELF file - Freeze.
0x881D40 we can find
Most important file to us is
__main__ stored at
After dumping this region it looks like
So we add
PyImport_GetMagicNumber to it and try to convert
.py using for example Easy Python Decompiler.
You can also dump all modules using this little python script (credits to 1amtom):
So now we have full task source code:
Here we need to exploit
cPickle.loads which deserialize object from untrusted user input
More info about this kind of attack you can read here.
By default flask sign all cookies when
app.secret_key is set.
Lucky to us we have secret value decrypted from ELF file, so we can sign any cookie.
Normally we will simply read
../flagdir/flag file and send it to us using for example:
But it won’t work. Why? Because of
chroot('.') - we are inside chroot jail.
So instead of reading files we need to read flag from global
posts variable using
For signing cookie I create small Flask app which encode payload and create valid cookie:
So now we open
http://localhost:1337 in browser, read
session cookie value and then send new request to task server.