Guild icon
Project Sekai
🔒 GDG Algiers CTF 2022 / ❌-web-perfect-model
Avatar
Sutx BOT 10/07/2022 11:01 AM
Perfect Model - 500 points
Category: Web Description: > I've heard that we have some of the finest AI players here.
Let's test that out. Can you make a perfect model?
Author : Aymen Files:Tags: AI
10/07/2022 11:01 AM
Sutx pinned a message to this channel. 10/07/2022 11:01 AM
Avatar
Sutx BOT 10/07/2022 11:16 AM
@jayden wants to collaborate 🤝
Avatar
sahuang 10/07/2022 2:19 PM
ok so i would guess server will validate our model against our existing training data, then see if class if acc/unacc
14:23
i think decision tree should work? because it's always branch based
Avatar
sahuang 10/07/2022 2:42 PM
hm ok so the data app they were using is Streamlit 1.12.2 while 1.13 was released 15 days ago, not sure if that's sth https://github.com/streamlit/streamlit/compare/1.12.2...1.13.0 (edited)
Avatar
sahuang 10/07/2022 3:06 PM
sahuang Today at 14:27 For Web - Perfect Model Do we get to know server predict logic? e.g. it will give a record of string then ask for category? Since after server loads my model.pkl, it needs to call predict on some entries, but whats the input features format? Do we need to guess? e.g. its string features or they are turned into enum/ints? Ouxs Today at 14:32 no you don't get to see such info and there is no guessing needed in order to solve the challenge Can't say anything more because it will be a hint (if we saw after some time that no one solved it, we will give more details) sahuang Today at 14:32 ok, i see, but is this chall related to web? because the only thing seems to be upload my model m0kr4n3 Today at 14:33 otherwise we wouldn't put it in web category
15:06
Here's my ask to admin
Avatar
jayden 10/07/2022 3:06 PM
hmm
15:06
idk feels like misc or some shit
15:06
with the AI stuff
Avatar
sahuang 10/07/2022 3:07 PM
the AI stuff shouldnt be hard, but i dont know their input
15:07
the input is supposed to be scalar but it's string now
15:07
and they said its web, so must have sth to do with the webpage
Avatar
Sutx BOT 10/07/2022 3:10 PM
@strellic wants to collaborate 🤝
Avatar
sahuang 10/07/2022 3:23 PM
so i got a pkl model which works on all training data but gives error 400
Image attachment
15:24
nvm refreshed and run
15:24
ValueError
15:24
LOL
Avatar
Sutx BOT 10/07/2022 3:24 PM
@22sh wants to collaborate 🤝
Avatar
sahuang 10/07/2022 3:26 PM
ok it may be because of string input
15:28
probably need some hints on the web part, because for AI part, need to know the feature used on server side and that's unknown to us
15:30
One workaround is to use https://scikit-learn.org/stable/developers/develop.html#estimator-tags and override X_types to string
15:35
The author loves pickle so much lol, jail - Kevin Higgs: The Revenge is also a pickle thing from Angstorm
15:37
guess ill wait for hint if available, it doesnt seem solvable with pure AI ==
Avatar
sahuang 10/07/2022 4:36 PM
talked to admin again, not intended to solve this way, its a web so still it's about web exploit
Avatar
jayden 10/07/2022 5:01 PM
hmm time to start reading src ig
17:01
kinda annoying no clear path to flag
Avatar
sahuang 10/07/2022 5:05 PM
they dont have src?
17:05
i didnt even check
17:05
dang
17:05
i thought server side logic is hidden
17:05
as they said no need to guess input logic in server
Avatar
jayden 10/07/2022 5:42 PM
nah i mean src of streamlit to see if theres any way to get more info about whats running
Avatar
sahuang 10/07/2022 5:42 PM
ah, i see
17:43
i will wait for their hint
Avatar
Sutx BOT 10/07/2022 7:25 PM
@Violin wants to collaborate 🤝
Avatar
sahuang 10/07/2022 7:52 PM
lo
19:52
hint 2
19:52
If it's on the web, it means that part of it includes a web vulnerability.
Avatar
Avatar
jayden
nah i mean src of streamlit to see if theres any way to get more info about whats running
sahuang 10/07/2022 7:52 PM
this might be right path
19:52
i think its about streamlit 1.2.12 vuln?
19:52
maybe they patched in 1.13
Avatar
Avatar
sahuang
hm ok so the data app they were using is Streamlit 1.12.2 while 1.13 was released 15 days ago, not sure if that's sth https://github.com/streamlit/streamlit/compare/1.12.2...1.13.0 (edited)
sahuang 10/07/2022 7:57 PM
im reading this
Avatar
Sutx BOT 10/07/2022 10:17 PM
@crazyman ai wants to collaborate 🤝
Avatar
sahuang 10/07/2022 11:44 PM
could any web guy give a pickle file that unpickles to get some payload execution
23:45
hm im not sure they hint prob means there's sth to do with pickle vuln?
Avatar
Sutx BOT 10/08/2022 10:24 PM
@Zafirr wants to collaborate 🤝
Avatar
sahuang 10/08/2022 10:25 PM
@Zafirr AI guy?
Avatar
Zafirr 10/08/2022 10:26 PM
not really but ive made simple models before
Avatar
sahuang 10/08/2022 10:26 PM
i made a model already but its not the right track
22:26
hint 2 mentioned its related with web
22:26
and input is actually string
Avatar
Zafirr 10/08/2022 10:26 PM
its probably pickle vuln no?
Avatar
sahuang 10/08/2022 10:26 PM
yeah same suspect
22:27
but admin said it's also related to AI, "you will know when you solve it"
22:27
i was thinking server calls pickle.load, then somehow trigger something predicting 100%
22:30
I wanted to get a .pkl file where after load can trigger some printing
22:30
do you know how to generate one?
22:30
e.g. os.system("ls -l") is triggered (edited)
Avatar
Zafirr 10/08/2022 10:30 PM
reverse shell?
Avatar
sahuang 10/08/2022 10:31 PM
yeah, did some research, all payload are base64 and if i convert to bytes to write into pkl, doesnt work
22:31
lemme retry
22:33
import pickle import base64 import os class RCE: def __reduce__(self): cmd = ('ls -l') return os.system, (cmd,) if __name__ == '__main__': open("out.pkl", "wb").write(pickle.dumps(RCE())) (edited)
22:35
also public.csv is given for a reason, but i think it's next step
22:35
we can hardcode inputs to match output with 100% accuracy
22:36
but issue is we dont know input format, and author said thats not required to solve, so this must be web part
Avatar
Zafirr 10/08/2022 10:36 PM
hmm
Avatar
Avatar
sahuang
import pickle import base64 import os class RCE: def __reduce__(self): cmd = ('ls -l') return os.system, (cmd,) if __name__ == '__main__': open("out.pkl", "wb").write(pickle.dumps(RCE())) (edited)
sahuang 10/08/2022 10:36 PM
no surprise
Image attachment
22:36
and they said sklearn BaseEstimator only
Avatar
crazyman ai 10/08/2022 11:28 PM
pkl seems have some problem of secruity?
Avatar
sahuang 10/08/2022 11:29 PM
it does
Avatar
crazyman ai 10/08/2022 11:29 PM
like the kmh challenge of Dice@Hope
Avatar
sahuang 10/08/2022 11:29 PM
but idk how to trigger
23:29
always value error
23:29
ill check that
Avatar
crazyman ai 10/08/2022 11:29 PM
  • blackbox pickle jail challenge *
Avatar
sahuang 10/09/2022 12:46 AM
might wait for writeup, no idea, will still try MLM
Avatar
Sutx BOT 10/09/2022 10:13 AM
@Guesslemonger wants to collaborate 🤝
Avatar
Guesslemonger 10/09/2022 10:17 AM
i remember using utf pickle payload in 1st ctf here
10:20
valueerror hmm
10:20
sklearn shit rce
Avatar
sahuang 10/09/2022 10:21 AM
yeah value error
Avatar
Guesslemonger 10/09/2022 10:21 AM
i can modify a sklearn baseestimator pickle no?
Avatar
sahuang 10/09/2022 10:22 AM
idk how to modify a pickle
10:22
but yeah probably can
Avatar
Guesslemonger 10/09/2022 10:24 AM
https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/
Avatar
sahuang 10/09/2022 10:26 AM
will check writeup, too burnt for this lmao
Exported 88 message(s)