DHS CTF

Short Writeup of a CTF I did for a job interview

So a couple weeks ago when the government finally decided to start back up, I received an email from DHS letting me know they were resuming their intern search. This was awesome because I’ve heard really cool things about their Red Team in the past and I was looking forward to applying to them for an internship.

What I got sent back was different compared to most interviews, but because of the time I’ve spent working on my OSCP over the past year it left me excited.

Initial Email

The “network” was a single VM that ran 4 different Docker containers that each contained their own flag.txt. I really was amazed that I hadn’t thought of doing that before with boxes that talk to eachother through Docker containers before – I decided I’d save that nugget of knowledge for later.

I booted up my Kali VM and decided to give it a basic Nmap ping scan to see if it responds to ping so I could proceed.
Ping Scan

After doing some process of elimnation for myself, my gateway, and a few other things I was able to identify that my target was 192.168.249.160. I fired up Nmap once again and gave it a simple scan to see what services and ports I was dealing with. Nmap Scan

Voila! Based off this scan and the CTF’s I’d done in the past, I knew the first two shells were going to be easy as hell. To be perfectly honest, I was a little cautious still at this point because I didn’t think that anyone would offer up a shell for VSFTPD 2.3.4 or ProFTPD 1.3.5 that easily.

Flag 1

Like I said, this one jumped out to me right away. This backdoor is a popular one to use in CTFs and to teach novice infosec professionals how to use Metasploit. I quickly loaded up Metasploit and launched unix/ftp/vsftpd_234_backdoor. Vsftpd

With that I had my first flag down! Three to go!

Flag 2

This is another one that jumped out to me as a relatively “point-click-hack” Metasploit module that I actually teach to freshman at the university. I quickly loaded up the unix/ftpd/proftpd_modcopy_exec exploit and launched.

Proftpd

Second flag down!

Flag 3

Now I knew from the initial email that there was going to be some pivoting involved, so I made sure that I was looking at the arp cache everytime I popped a shell using arp -a. Arp

172.30.0.4…interesting! Not a box…or subnet I’ve seen before. I quickly realized that this box was communicating on his own private network to another box. I resolved the IP address and saw that it belonged to a c4-web-local. Sounds like what we want! I curled the webpage see if a web page was hosted on it and received back this hint: Curl

Now the next part I have to admit was made using pure luck. I reasoned that the hint was mentioning shock for a reason and my mind went to ShellShock. An infamous vulnerability in Bash itself. I made sure and deployed autoroutes, a Metasploit post module that allows you to be able to use a compromised host as a forwarder for your subsequent attacks. AutoRoutes

Hoping my luck wouldn’t fail me yet, I searched for a shellshock vulnerability on Metasploit and fired the first one, multi/http/apache_mod_cgi_bash_env_exec at it.

It took a little reworking with the TARGETURI flag to make sure that I was pointing to correct spot, but I was able to figure that info easily from the curl request above. ShellShock And….! Flag3

Flag 4

So there was a few days in between the last flag and this one, I had a lot of stuff going on during the week and wasn’t able to break away and look at it until the day it was due actually. At this point I knew that my last target was going to be a SQL Injection when I browsed to the main server on the only remaining service.

The initial login page caused a great deal of headache for me initially, classic case of overthinking. I went and grabbed a common list of SQI paramters and the first one that I ended up trying worked. (Maybe I’m in the wrong career field who knows :P)

ApplicantPortal

After bypassing the login page I was brought to an internal stastics that seemd to ‘monitor’ the applicants that were applying to this job. After a quick glance it was easy to tell that all the data was static and most of the webpage wasn’t really active – except for one part.

ApplicantQueue

When data is submitted into the Add Applicant field, it’s populated on the Applicant Queue side. AFter trying some basic command injection for a bit I decided to fire up BurpSuite and take a look at what was going on behind the scenes.

Burp1

Upon inspecting the request that is made I can see that the cookie Applicant is sending quite a bit of traffic. After HTML decoding it, it becomes a little more clear at what I’m looking at.

Burp2

I had to do quite a bit of googling on the subject of PHP Object Serialization at this point, reaching out to a few colleagues for some tips on getting started learning about them. I booted up a few practice scenarios with code so I could practice looking for vulnerable classes that I could call and had a lot of fun learning about this exploit that I had never heard of before.

Unfortunately, upon learning how they really worked it became very apparent that I was unable to be do anything without having some source code to look at. I spent a little bit of time doing some directory bruteforcing, trying to see if possibly there was some publicly exposed source code that would lead me to it – no bueno.

It was at this point I noticed that in some exploits for PHP Objects, there was a paramter that was misconfigured and allowed a user to submit any PHP function they wanted to be interpreted. I began to run with this (about 6 hours left to submit at this point) and quickly found something.

PhpObject1

Here, I was able to swap the isApplicantEmpty function out for the System() function in PHP. I was then able to supply the commands that I wanted passed to System() via the Applicant-Name field.

PhpObject2

Code execution!

After this, I exported the request to a curl command so I could run it quickly as bash script so I could find the flag on the system and cat it. (No formatting cause speed :) )

#!/bin/bash

curl 'http://192.168.249.160:8100/YINXEtKn/lib/ApplicantQueue.php?action=add' -H 'Host: 192.168.249.160:8100' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Referer: http://192.168.249.160:8100/YINXEtKn/' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'X-Requested-With: XMLHttpRequest' -H 'Cookie: PHPSESSID=26ecc3d6a7d7e4e7826f6e4a06944866; Applicants=O%3A14%3A%22ApplicantQueue%22%3A2%3A%7Bs%3A10%3A%22applicants%22%3Ba%3A4%3A%7Bi%3A0%3Bs%3A1%3A%22a%22%3Bi%3A1%3Bs%3A1%3A%22a%22%3Bi%3A2%3Bs%3A1%3A%22a%22%3Bi%3A3%3Bs%3A1%3A%22a%22%3B%7Ds%3A22%3A%22%00ApplicantQueue%00filter%22%3Bs%3A6%3A%22system%22%3B%7D' -H 'Connection: keep-alive' --data "applicant-name=$1"

Flag4

Fourth Flag Done! Even though I didn’t have to end up doing a PHP Serialization Exploit, I really enjoyed learning about them and will know what to look for hopefully in the future.


comments powered by Disqus