# Team

- There were two pre-formed teams, it was all students from a
 university offering security courses (RUB, etc.)
- The three people remaining formed our ad-hoc team, `rm -fr`
- There was an older guy curious to learn and an experienced one with
 a wizard beard
- I was somewhere between, this event made me realize I've got lots of
 practice ahead of me...

# Scenario

- Get user/pass paper slip
- Obtain VPN config
- Connect via VPN, enter user/pass
- Log into internal website with same user/pass
- See list of VMs and their addresses
- Try to obtain flag in `/root/Desktop/token.txt`

# Setup

- Much of this went wrong, we initially weren't able to see any VMs in
 the website listing
- We got a different user/pass but when we scanned the VMs, all ports
 came up as filtered
- We downloaded a matching VPN config and had issues logging in (typos
 in user/pass)
- Eventually we all made it, 45 minutes in
- We all used some form of live environment and weren't accustomed to
 it at all
- Next time I'll go for QEMU and KVM and customize it a bit instead of
 a fiddly USB stick...

# Strategy

- You'll want to have some kind of collaborative communication channel
 where you can have notes
- The initial plan was to have a Git repo, but we went for a
 password-protected Etherpad session instead
- Everyone did a breadth-search on the VMs first, then later we did a
 depth-search together on a specific one were we found something
 promising
- If all you get is an IP address, use `nmap` to figure out services
- From then on find some way to execute commands
- Check your privilege
- Escalate to root
- Obtain the flag
- We discovered every VM had port 80 open, some had extra ports open
 (like for rpcbind, ssh, mysql, etc)

# VM 1

- Perl script displaying a simple database, with download/upload
 scripts
- There was a commented out form suggesting an upload script with
 preview functionality
- Except it didn't preview anything...
- The wizard messed around a bit and eventually guessed that the perl
 script accepted a `cmd` parameter for executing shell stuff
- He obtained a reverse shell by spawning `nc` and connecting to it
- He tried executing stuff, but found he was just `www-data`
- We both went through the usual suspects then, `cron` scripts, sudo
 config (no dice), then suid files
- There was a funny looking suid file, `run-as-root`
- We spent way too much time on getting it to do anything useful
- Eventually he uploaded it (by overwriting an existing text file
 served by `www-data` with `mv`) and I did some analysis with an
 outdated `r2`
- I found that it was written in C++11 and didn't seem to be
 obfuscated too much
- Eventually I just used `ltrace` on it and found it spawns a process
 by using the first argument with `popen`, then reads each line with
 `gets` and prints it
- So all you had to do was `run-as-root "cat /root/Desktop/token.txt"`
 (without the quotes it just took `cat` and made the reverse shell
 unusable because there was no way to tell whether you had a prompt
 or not, forcing you to quit and try again)
- Next time, just execute `run-as-root id`
- 10 points

# VM 2

- Uni website with some cutesy assets for download and a download
 script asking for verification
- The wizard found a link to `glass.php` buried in a wall of text
- It gives you a network testing thing and executes shell commands
 against whitelisted IP addresses
- He eventually injected some bash to launch another reverse shell
- We got a helpful hint about upgrading it to an interactive one
 (thereby giving you a prompt, completion, etc.):
 `python -c 'import pty; pty.spawn("/bin/sh")'`
- The wizard looked at the sources and found they were all root-owned
 PHP scripts
- I found a flaw in the verification, it's using something like
 `strcmp($foo, $bar) == 0`, if `$foo` originates from something like
 a `GET` parameter, you can force it to be interpreted as an empty
 array by providing `foo[]=...` instead of `foo=...`
- The wizard guy used Burp to intercept the requests and manually
 modify them this way
- We could download many files, but not the ones readable by root
- We checked for SUID files, but nothing
- Cron just cleaned up PHP sessions
- We eventually got a hint about `sudo -l`, it showed that `nmap` was
 allowed to be run without providing a password...
- The famous nmap shell escape didn't work because nmap was too new
- I read a bit more and found a note warning people from using
 untrusted nmap scripts (which are used to scan for vulnerabilities)
- Turns out they're written in Lua
- I learned a bit of Lua to shell out, then extended that to a minimal
 nmap script and verified it worked with `strace`
- We fumbled around a lot to get it working with a dumb reverse shell,
 but eventually made it work
- 15 points
- The organizers pointed out we could have used the verification
 bypass on `glass.php` to execute arbitrary commands with the
 necessary privileges and were surprised about our nmap shenanigans

# VM 3

- "Cat content"
- MySQL and SSH port open
- Guestbook threw errors on anything malformed, but inserted it
 nonetheless
- Typo3 installation with lots of paths exposed in the sources
- No luck here, they probably expected a specific exploit
- We left `sqlmap` running, but nothing came from it

# VM 4

- Management panel accepting a password only
- Older guy guessed "admin" correctly
- It doesn't seem to be functional and redirects to the help instead,
 with `help.php?help` as path
- I managed to include different files with
 `help.php?../../../etc/passwd`
- I tried to include web server logs, hoping that the contents are
 interpreted as PHP (they weren't)
- Older guy got a hint to try including PHP files (which showed they
 weren't interpreted at all)
- `index.php` gave an obfuscated mess
- I unobfuscated the hex escapes and a few of the global variables
 array used creatively
- Then I found a base64-encoded payload sticking out
- It was a PHP code with a comment suggesting a backdoor from a
 disgruntled employee which accepts two GET parameters, if the first
 one manages decrypting a payload to a valid PHP function, it
 executes it on the second GET parameter
- I gave up here because I didn't see any references where the correct
 key comes from and no other inclusion attack yielded something

# VM 5

- Displays a default Apache page
- `rpcbind` service open, two high ports, one of which is a SSH
 management thing
- I tried out Metasploit here, but didn't find anything useful with
 its NFS things

# VM 6

- Displays a default Apache page
- Wizard guy noticed that if you open `index.php`, you get a
 spider-themed login page
- Locks you out after too many failed attempts
- I searched for its name, but didn't find anything useful
- This was supposed to be a botnet exploit...

# Aftermath

- We were third place
- The winning team was awarded Amazon giftcards, I got me some
 merchandise
- I exchanged contact info with wizard guy, he didn't seem interested
 in teaming up for 35C3CTF ("Are you crazy? There's so many cool
 people there! Try something like c3quest instead and learn useful
 skills from strangers or teach them those skills.")
- This was very much unlike OverTheWire and more like HackTheBox

# Lessons learned

- Set up a proper working environment
- Learn Burp for web stuff
- Learn to spawn reverse shells
- Go for simple and easy (`ltrace`, `strace`) than hard and elaborate
 (`r2`)
- Search the internet for exploits and learn to use them
- LFI isn't just useful for `/etc/passwd`, but also `/etc/shadow`
 (checking whether you're root) and `index.php`
- Cooperate better with your team mates
- Practice on HackTheBox (boxes, not challenges)

You are viewing proxied material from brause.cc. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.