This weekend we participated in Whitehatvn Grandprix CTF and this is one of the 2 real challenges we managed to solve.
Big thanks to @anon3236228 for executing exploit while challenge was officially down,
getting us flag quicker (and for being help in brainstorming).
Description:
manhndd is running a service file upload at
web01.grandprix.whitehatvn.com,
it is restored every 2 minutes. Every 1 minute after service starts, he ssh into server to check /var/secret. Can you get it?
Writeup:
After visiting provided website we are presented with upload page running SimpleHttpServerWithUpload.py, it didn’t ask for any particular file type and didn’t check extension.
I saw other players trying to upload various shells without success so I decided to inspect upload functionality closer.
I used Burp Repeater which is nice tool for easily and quickly changing your requests and getting results back.
After uploading test file we are presented with following message:
So we know our files are saved in /opt directory, I tried to go one directory up by modifying filename parameter to “/…/test”
which resulted in “Couldn’t save file , are you sure you have right permissions?” which means that upload is vulnerable to directory traversal! But we can’t write anywhere, first thing I tried was writing to /tmp:
Great, but not very useful , we can’t even read file we uploaded . I unsuccesfully tried to write a cron file, and even had crazy
ideas about exploiting service by writing to something in /proc/self/ but it resulted in nothing. Then I reread description again:
**manhndd** is running a service file upload at...Every 1 minute after service starts, **he ssh into server**...
Of course! It should be possible to write to home directory of this user and overwrite his .bashrc file which is executed every time he logs in.
Test file first:
Awesome, write was successful but how to get a flag out? After few attempts of using netcat we realized outbound connections were blocked
so we decided to write to /opt which we seemed to have access to:
And it worked! Flag could be found at web01.grandprix.whitehatvn.com/shellPyhscript