TeamCyprus ECSC Qualifiers CTF — MagicTheNumb3r1ng Challenge Writeup
What’s up everyone? Here I am again, with another write up for TeamCyprus ECSC Qualifiers CTF. Don’t worry I will try to keep it brief!
This challenge was split into two challenges (Challenge 8 and Challenge 9) and in this post I will be covering both of them.
Here is the description of the first part:
Guybrush has set up a Magic the Gathering fanpage for his friends to upload fanart of the game at `http://192.168.125.148`. He has taken good care so that the users can not upload any files that might compromise the server — or so he thinks. The first flag is in Guybrush’s home directory, can you find it?
And this is the description of the second part:
Guybrush’s account has limited permissions on the webserver we just attacked at address `http://192.168.125.148`. There is a second flag in /root, but only the root can read the directory’s contents! Can you find the second flag?
From the description only I can confidently assume that this has to do with bypassing upload restrictions, get a shell and do the dirty work.
After navigating to the home page I saw a pretty simple fan page with an Upload menu item which directly caught my attention. I assumed that this was the upload procedure that had to be exploited so I clicked there and started running some tests.
Black Box Testing
Normally, in scenarios like this, where you have to bypass upload restrictions the main goal is to use black box testing to identify what kind of measures the server uses to whitelist files. Usually the most obvious and common ones are, the file extension and the Content Type http header. As a result, I tried uploading a php file, with a .jpeg extension and with a modified Content Type header. Both attempts were blocked, so the server is not using any of these two.
I wanted to double check that, by uploading a valid jpeg image but still changing the extension or the http header. This time the upload was allowed, so I figured that the server must using something unique that consists a jpeg file.
Thanks to old friend’s Google assistance I found an article which describes the jpeg compression file format¹. The main catch out this was that jpeg files start with the signature FF D8 FF.
Therefore, I used hex editor to open the php file and added the above hex code at the beginning of the file. I tried re-uploading and…. BOOM! The upload passed through!
Exploitation
Perfect! Now I had to find a php shell to throw up there so that I can find the first flag (Of course if you are not lazy you could write your own but personally, I will pass for now :) ).
This one seemed pretty simple but yet effective for our purpose so I copied that and uploaded it on the server.
Sweet! The description clearly states that the flag is in the home directory of this guy. I was so glad I didn’t have to search the entire file system to find it. (Thanks author!).
Flag 1 is down! One more to go.
From the second description it is obvious that we gotta do some sort of privilege escalation but I tried to access the second flag from the shell anyway with an expected Permission Denied message.
After wandering around the file system for a while I found an interesting text file called NOTE-TO-ADMIN.txt which stated that this guy gave apache some sudo permissions. That was surely a huge hint.
From that note I expected to use the apache process to somehow run a bash command and read the second flag but I tried to see what commands can this user run with sudo so I run: sudo -l
Oh my oh my! The user we are logged in as, can run python as root with no password required whatsoever. Well that was game over guys! It was a matter of time now.
I just used an one liner python command to run cat as root and read the response:
sudo python -c “import os; print os.popen('cat /root/flag2.txt’).read()"`
And second flag is down for good
Conclusions
This was a fairly easy fun challenge but still with some technical key points that can make it very hard if you don’t know the right stuff at the right time.
Although I expected to exploit the apache process for the second part it turned out to be easier that I thought.
Many thanks to the author of the challenge! Was a good one.
I hope you all enjoyed the write. Keep it real guys! 👍
