Have you been burned by the serial maze?Welcome! This is a safe space to air out all your serial maze comments, challenges, and anything else.🙃

Something about pickles? 🥒🥒🥒

From my very rough notes (thanks Vlad! ;p): "You need to pickle the co-ordinates, then sign them using itsdangerous" (looking at previous labs in the series may help work out how the co-ordinates are normally passed). I had no need for rockyou after picking up the not-so-subtle hint in the following screenshot... ;p

Thanks a lot for this amazing hint autom8on, I think I am almost there but I am still missing something. I skipped the rockyou and followed your hint about the not-so-subtle hint. The correct approach is to create a .py file where i define the coords, pickle it, Signer the secret and obtain the token in b64, am I ok or I am totally lost haha?

Sabrina mentioned in another post. "I would recommend having a look at the Browser Developer Tools: Console and JavaScript Execution lab, as there is some overlap in the tasks. We don't have an offensive lab on Python pickles, but you may find Python: Insecure Deserialization useful, including the further reading linked at the end. Good luck!"In the Insecure Deserialization it mentions "The developers of a GPS fitness tracking application unfortunately implemented the feature to upload jogging routes vulnerable to insecure deserialization attacks, since they decided to use the insecure pickle format. Your task is to remediate this vulnerability using the more secure JSON format."So maybe this can be of help.

Serial Maze Support Group | Immersive Community

23 Replies

autom8on
Silver I
2 months ago
:-)
- SamDickison
  Community Manager
  2 months ago
  🎉 Niiiiice 😎
- sabil10
  Bronze II
  2 months ago
  I'm stuck on serial maze, found one endpoint, it says "What a pickle... You need the secret to continue." not sure how to proceed from here
  - Nneka_AN
    Silver I
    2 months ago
    Hi sabil10
    I see you have also been burned by the maze. Welcome to the support group 😅
    Hopefully, autom8on, domel44, or jamesstammers might be able to provide some assistance.
    Alternatively, if you read through the thread on this page, you might be able to pick up some clues to help. 🤩
- Nneka_AN
  Silver I
  2 months ago
  🤩 Wow!! Well done autom8on Steve! 👏
  This gives hope to others in the support group 🙃
  When will you be holding the serial maze masterclass? 👀
SamDickison
Community Manager
2 months ago
Something about pickles? 🥒🥒🥒
- Nneka_AN
  Silver I
  2 months ago
  I'm side-eyeing every single pickle to see if they contain secrets 😣
GusC
Bronze III
15 days ago
Is there another lab we can reference or redo that will assist with the coordinates component?
- DG
  Bronze III
  15 days ago
  Sabrina mentioned in another post. "I would recommend having a look at the Browser Developer Tools: Console and JavaScript Execution lab, as there is some overlap in the tasks. We don't have an offensive lab on Python pickles, but you may find Python: Insecure Deserialization useful, including the further reading linked at the end. Good luck!"
  
  In the Insecure Deserialization it mentions "The developers of a GPS fitness tracking application unfortunately implemented the feature to upload jogging routes vulnerable to insecure deserialization attacks, since they decided to use the insecure pickle format. Your task is to remediate this vulnerability using the more secure JSON format."
  
  So maybe this can be of help.
  - Nneka_AN
    Silver I
    10 days ago
    Thank you, DG!
- SamDickison
  Community Manager
  15 days ago
  SabrinaKayaci might be able to advise you on that.
Nneka_AN
Silver I
2 months ago
🙃
Despite finding the 🥒 (Thanks to autom8on for the prompt in the right direction), I'm stumped on how to get to the endpoint 😩
Any more clues from the kind immersers that have already conquered this maze? 👀
- domel44
  Bronze II
  2 months ago
  itsdangerous
  token > secret_key > 🥒 > answer
  - jamesstammers
    Bronze III
    2 months ago
    Do you need to find the secret_key before sending the pickle payload? or use a pickled payload to find it?