Baby Website Rick: Exploring Python Pickle Module and Web Cookies

Introduction:

Welcome to another chapter of our cybersecurity journey. Today's adventure unravels the eccentricity of 'Baby Website Rick,' a fascinating challenge that requires us to prevent Rick from turning back into a human using anti-pickle serum, or risk facing family therapy sessions - a prospect none of us relish!

Machine Name: baby website Rick

Difficulty: Easy

Category: Web

DESCRIPTION

Look Morty, look! I turned myself into a website Morty, I'm Website Rick babyyy!! But don't play around with some of them anti pickle serum I have stored somewhere safe, if I turn back to a human I'll have to go to family therapy and we don't want that Morty.

Kickstarting the Machine:

Upon spawning the machine, we acquired the IP and fired up our browser.

The website greeted us with a warning: "Don't play around with this serum morty!!" followed by an object reference, "<__main__.anti_pickle_serum object at 0x7f4e4a91d850>."

Delving into Python's Pickle Module:

The pickle module is a python staple, used to serialize (convert Python objects into a stream of bytes) and deserialize (reconstruct the data from the byte stream). However, Python's official documentation warns about its vulnerability, mainly when it deals with untrusted or unknown sources.

Inspecting Cookies:

In this context, we aimed to inspect the website for cookies. Why? Because cookies often hold valuable data, and as they're also a form of serialized data, they could prove to be a key in this challenge. Sure enough, we discovered a cookie named 'plan B.'

Decoding the Mystery:

The 'plan B' cookie contained a base64 encoded string, which we had to decode. Here, we could either use the terminal or python's pickle module. Once decoded, we obtained a serialized dictionary object.

Creating the POC using Python Module :

While obtaining the decoded string through the python module yielded an error: "AttributeError: Can't get attribute 'anti_pickle_serum' on <module '__main__' (built-in)>". This error message indicates that the python interpreter could not find a reference to 'anti_pickle_serum.'

Getting Past Errors:

To address this issue, we defined a class 'anti_pickle_serum' and then ran the previously failed code. This time, no errors surfaced, and we were greeted with a message, implying that the object is indeed serialized from a dictionary object.

Next, we utilized the __reduce__() function in the python script. This function allows us to specify particular actions upon pickling an instance of the class. In our case, we made it return the output of the 'whoami' command.

Understanding the Role of Protocols:

Here, we encountered an internal error in the burp repeater. To address this, we modified the script to use the 'pickle.dumps()' function with the parameter 'protocol=0.' Protocols dictate how we serialize objects, and using 'protocol=0' ensures the serialized objects are ASCII-encoded and human-readable.

The use of this protocol led us to obtain an output similar to our cookie value. We repeated the process in burp and got a status of '200 OK,' indicating we're on the right track.

Alterations and Command Execution:

To further our investigation, we replaced the 'whoami' command with the 'ls' command. However, we had to use 'subprocess.check_output' instead of 'os.system' to retrieve the output of the 'ls' command. The reason being, 'os.system' only executes the process but does not capture the output.

Why Python2 instead of Python3?

Interestingly, running our script in Python3 resulted in an internal error, implying the server might be running Python2. Thus, we reverted to using Python2, which generated a successful response.

Getting the Flag:

Next, we changed our command from 'ls' to 'cat' to read the contents of the flag file.

Upon repeating the process in burp with the new cookie value, we were rewarded with the coveted flag!

Conclusion:

Our adventure with Baby Website Rick demonstrates the potential risks posed by Python's pickle module and unsanitized cookies. It also underlines the importance of understanding how data serialization and deserialization work in Python. As always, stay vigilant and keep exploring!