tl;dr ready to go script available at my Gist
Recently there was a vulnerability discovered in Python’s PyYAML library, which allowed for arbitraty code execution through YAML data deserialization. Original issue report and NVD’s vulnerability description have enough details about the case, so below I’ll just outline how to actually make it work.
Commits and tests linked in Github’s issue show, that construct_python_object_apply function present in FullContructor (being used by FullLoader) is able to create a “state” property of an object being created.
Short background: recently I had to access an Oracle database and make a dump of it. The database was on a remote server that was accessible only via a VPN I had access to from my laptop. I didn’t have Oracle tools (like expdp or impdp) installed locally though. Instalation of those things on my local Ubuntu could be troublesome and I couldn’t find a suitable Docker image to use of out the box.
This is a write-up of a HackTheBox machine named Jarvis. Enumeration One of the ports exposed on the server was HTTP port that served some hotel website. After a quick glance at the URLs I noticed, that subpage http://supersecurehotel.htb/room.php?cod=2 is vulnerable to SQL injection - Passing cod parameter as 2*2 returned site for room no 4. The sqlmap tool automates looking for the right payload and with default options for wizard mode, it returned all of the database content along with hashed, but simple, password for db user.
This is a write-up of a HackTheBox machine named Craft. Disclaimer: the machine went available on 13.06.2019 and retired around January 5th 2020.
Enumeration First thing was to discover open ports on the server:
root@kali:~# nmap 10.10.10.110 -p 0-49999 Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-13 15:10 EDT Nmap scan report for craft.htb (10.10.10.110) Host is up (0.056s latency). Not shown: 49997 closed ports PORT STATE SERVICE 22/tcp open ssh 443/tcp open https 6022/tcp open x11 Nmap done: 1 IP address (1 host up) scanned in 63.