First of all, I hope there is no misunderstanding, I didn’t abused the server. During the toss of insomnia, I saw all the flags leaked of the ongoing CTF in CTFTime. Using the reverse shell that was left open through the web challenge a few hours ago, I was able to identify all the causes 10 minutes after the server went down.
It’s not so technical, but I decided to write this down to show explanation for the dumbfounded participants.
The web challenge Brutus has a vulnerability in PHP unserialize. And It gives remote code execution RCE Privileges to user.
This vuln allows us to create a reverse shell, and It doesn’t have a time-out check. Even after five hours from solved the problem, the connection was still there. Thanks to that, analysis was very comfortable.
By the /etc/hosts file allows you to check the internal IP address of the challenge server is 172.26.0.4. If not specifically managed, so I can expect the address of the host server is 172.26.0.1 or around that.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
www-data@5841bda2da57:/code$ curl 172.26.0.1 <!DOCTYPE HTMLPUBLIC"-//W3C//DTD HTML 3.2 Final//EN"> <html> <head> <title>Index of /</title> </head> <body> <h1>Index of /</h1> <table> <tr><thvalign="top"><imgsrc="/icons/blank.gif"alt="[ICO]"></th><th><ahref="?C=N;O=D">Name</a></th><th><ahref="?C=M;O=A">L ast modified</a></th><th><ahref="?C=S;O=A">Size</a></th><th><ahref="?C=D;O=A">Description</a></th></tr> <tr><thcolspan="5"><hr></th></tr> <tr><tdvalign="top"><imgsrc="/icons/folder.gif"alt="[DIR]"></td><td><ahref="mellivora/">mellivora/</a></td><tdalign="right"> 2020-02-21 22:08 </td><tdalign="right"> - </td><td></td></tr> <tr><thcolspan="5"><hr></th></tr> </table> <address>Apache/2.4.29 (Ubuntu) Server at 172.26.0.1 Port 80</address> </body></html>
It seems that a web server works on 172.26.0.1.
Here you can see one folder, and you can see that it’s using the Melivora CTF engine through its name and internal files.
CTF service is provided through two containers, mysql:5.6 and melivora, using docker-compose . And since database account credential has been leaked, so we can access to CTF database.
1 2 3
$con = new mysqli('172.26.0.1','[redacted]','[redacted]','[redacted]'); $res = $con->query('show databases')->fetch_all(); var_dump($res);
Therefore, using the shell of a web challenge to execute php code in this way, all tables and columns(including user credential and flags) in the database could be leaked, and we can drop all databases since we have root privilege (I didn’t test this unnecessarily)
In this case, it’s because of incredibly bad management. basically, the web services are running on a docker, so there’s no need to install a web server that would be a directory traversal on the host, and to put the contents of the docker stuffs in the webroot.
I don’t know if it’s true, but there are rumors that the organizer of this CTF hasn’t paid the right amount of money for years. (If you know the truth, please leave a comment.)