0x0 App - Script

mardi 9 octobre 2018, 23:42  #1
App - Script - Python Pickle - doubts at start
  • 3 posts

can you help me to solve the Python Pickle challenge in App Script topic ?
If I click on "Start Challenge", I’m not able to connect to tcp ://http://challenge02.root-me.org:60005.

I tried to connect to http://http://challenge02.root-me.org:60005 and I get the message ""result" : "Not allowed you should first AUTH"", then I don’t know how can I continue, I don’t know if there is a useful tool for this, I don’t know where I can insert input.

Thank you in advance

mercredi 10 octobre 2018, 12:01  #2
App - Script - Python Pickle - doubts at start
  • 196 posts

Try AUTH request instead of GET request

samedi 13 octobre 2018, 22:51  #3
App - Script - Python Pickle - doubts at start
  • 3 posts

How can I try with AUTH request ?

I tried to use Burp and Wireshark. When Burp intercepts the request, Wireshark captures these packets :

what i send :

- ¶ÒAàR’\KEx
ê¾ø£ÎGET / HTTP/1.1
Host : challenge02.root-me.org:60005
User-Agent : Mozilla/5.0 (X11 ; Linux x86_64 ; rv:60.0) Gecko/20100101 Firefox/60.0
Accept : text/html,application/xhtml+xml,application/xml ;q=0.9,*/* ;q=0.8
Accept-Language : en-US,en ;q=0.5
Accept-Encoding : gzip, deflate
Connection : close
Upgrade-Insecure-Requests : 1

and what I receive :

ø£×ê¾Server : BaseHTTP/0.3 Python/2.7.6
Date : Sat, 13 Oct 2018 20:23:12 GMT
Content-type : text/plain

"result" : "Not allowed you should first AUTH"

I tried to use a small Python script like :

# !/bin/python3.7

import requests

req = requests.request(’AUTH’, ’http://challenge02.root-me.org:60005’)

but I don’t receive any output on stdout, I don’t know how I can try with AUTH request. Sorry for my noobness.

dimanche 14 octobre 2018, 20:55  #4
App - Script - Python Pickle - doubts at start
  • 3 posts

I’m on the last part of the challenge. I tried with AUTH request and when I insert the Authenticate header (Authenticate : ), if I insert after the ’ :’ some word, I get an error that refers to authcombi = pickle.loads(base64.b64decode(self.headers.getheader(’Authenticate’)))

So I guess that what I insert after the ’ :’ goes inside authcombi. I tried to insert some command like ’ls’ or related Base64 (since I see a b64decode method) but nothing occurs. Furthermore I read on Internet that pickle.loads wants as argument a file.

How can I exploit this pickle method ?