App - Script

Tuesday 9 October 2018, 23:42  #1
App - Script - Python Pickle - doubts at start
PwnMyWife
PwnMyWife
  • 5 posts

Hi,
can you help me to solve the Python Pickle challenge in App Script topic?
If I click on "Start Challenge", I’m not able to connect to tcp://http://challenge02.root-me.org:60005.

I tried to connect to http://http://challenge02.root-me.org:60005 and I get the message ""result": "Not allowed you should first AUTH"", then I don’t know how can I continue, I don’t know if there is a useful tool for this, I don’t know where I can insert input.

Thank you in advance

Wednesday 10 October 2018, 12:01  #2
App - Script - Python Pickle - doubts at start
Th1b4ud
Th1b4ud
  • 1636 posts

Try AUTH request instead of GET request

Saturday 13 October 2018, 22:51  #3
App - Script - Python Pickle - doubts at start
PwnMyWife
PwnMyWife
  • 5 posts

How can I try with AUTH request?

I tried to use Burp and Wireshark. When Burp intercepts the request, Wireshark captures these packets:

what i send:

 ¶ÒAàR’\KEx
@@úÀ¨hÔ&àݦêeç-&-å¾Ü
ê¾ø£ÎGET / HTTP/1.1
Host: challenge02.root-me.org:60005
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

and what I receive:

’\K-¶ÒAàREÇ·Ñ@6ÎíÔ&àÀ¨hêeݦ&-0çOëi
ø£×ê¾Server: BaseHTTP/0.3 Python/2.7.6
Date: Sat, 13 Oct 2018 20:23:12 GMT
Content-type: text/plain

"result": "Not allowed you should first AUTH"

I tried to use a small Python script like:

#!/bin/python3.7

import requests

req = requests.request(’AUTH’, ’http://challenge02.root-me.org:60005’)
req.status_code

but I don’t receive any output on stdout, I don’t know how I can try with AUTH request. Sorry for my noobness.

Sunday 14 October 2018, 20:55  #4
App - Script - Python Pickle - doubts at start
PwnMyWife
PwnMyWife
  • 5 posts

Hi,
I’m on the last part of the challenge. I tried with AUTH request and when I insert the Authenticate header (Authenticate: ), if I insert after the ’:’ some word, I get an error that refers to authcombi = pickle.loads(base64.b64decode(self.headers.getheader(’Authenticate’)))

So I guess that what I insert after the ’:’ goes inside authcombi. I tried to insert some command like ’ls’ or related Base64 (since I see a b64decode method) but nothing occurs. Furthermore I read on Internet that pickle.loads wants as argument a file.

How can I exploit this pickle method?

New reply New reply   New topic New topic