This writeup will cover a 300points web mission we solved during PlaidCTF 2011. We had access to a simple guestbook with a form. We tried to trigger a bug unsuccessfully. At first, we thought the vulnerability might be a flaw in csrf handling because of the advisory published last february. The app was reacting strangely to the csrf cookie, (re)setting it multiple times, but then the organizers removed the csrf check altogether.
We were stuck at this point until a hint was given: django settings file contained a reference to a memcached server. We hadn't tried to scan the server because this mission was labelled "web", but with this new information about memcached we tried to connect on the given port and it was open. A presentation was given at black hat usa 2010 about open memcached server exploitation and a tool was released, "go-derper".
We installed the tool and obtained all cached data on the server. The data had been serialized with pickle by Django. From there, we only had to inject a modified pickle string to execute arbitrary commands. We executed netcat to get a connect-back shell and found the key.
I would like to thanks the PPP for organizing this great CTF. Hope to see you guys next year for PlaidCTF 2012 :)