Skip to content

Nebula Level17: A Newbie’s Approach

On level17 we have a python script listening on port 10007. In order to solve this challenge we’ll have to connect to this port and provide some input.


What you’ll need to know…

  • Python



Looking at the code, we can identify one module, known to be vulnerable. On top of that, it accepts input from the user, so it’s probably a good place to start testing.

Before we actually start doing something, take a look at the documentation of pickle module. It allows to serialize and de-serialize Python structures.
Let’s run an example.


If we execute this python script, it’ll produce a file, pickled.


Contents of pickled

Now, let’s feed the main python script this file.


This pickle module was new for me, so I did some research and end up finding a BlackHat presentation by Marco Slaviero. I’ll use his technique to solve challenge level17.

Like the previous exercise, I’ll take advantage of this vulnerability to compile a SUID program. Let’s take a peek my pickled file.


Simple. Now it’s just a matter of feeding this file to the program running on port 10007. For this, use nc 10007 < pickled. Exit and list the files under /home/flag17, where you’ll see the following files.


Run the SUID program and collect the flag 🙂

Result level17

One more, two left.

Challenges completed: 18/20



The easiest way to solve this problem is not using pickle at all. But I believe that in some cases this will be a half measure, because the main problem is the source of the data. So, as suggested in the previous articles, always sanitize input, don’t trust any source.




Further Reading

Published inNebula

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *