This weekend, SealingTech ran a Capture-The-Flag event at BSidesCharm for 30 people. This event challenged members of the local InfoSec community to identify and exploit the vulnerabilities of a running system in our RackSpace cloud. The SealingTech CTF was a very exciting event for us to set up and observe people participating in. We had a lot of participants ask about the intended solution after the prizes had been awarded, so here it is.
Level 1 Flag
Upon visiting the web server of the target machine, you find a simple “PortChecker” application. It works as expected, and can be seen below describing TCP port 443 when typing in “443” and clicking submit.
However, there is a serious vulnerability in this application that will allow arbitrary code execution. This is discovered by testing the input field with any shell delineator, such as “;”, “&”, or “|”. These sort of vulnerabilities should be tested manually, but can also be discovered with scanning tools such as the OWASP Zed Attack Proxy.
A review of the source code for the file that processes this form reveals the source of the vulnerability. Highlighted below is the use of PHP’s dangerous shell_exec() function.
The PHP code calls a bash shell script which performs the following shell action. The code below shows where user-inputted data (represented as “$@”) is passed into the bash shell! Secure coding standards avoids this. OWASP’s Security Cheat Sheets are one of the great resources for this.
Now that we know we have code injection, it’s a good idea to establish a more workable remote shell. A simple “bind shell” can be used on a system like this, or in other cases a “reverse shell” will be needed when there’s a firewall being used. Providing the PortChecker with the following input will yield a netcat bind shell on TCP port 4444:
The BusyBox binary is used as netcat here as a best practice, because netcat is often not available on production systems. BusyBox is an excellent multi-tool for penetration testing after you’ve gotten a shell. On your client box, connect with netcat in client mode to have a interactive shell:
In the commands above, we identified that we have access to the apache user and can see some web files. One of these files happens to be flag 1! Inside of flag1 is our first flag secret, “overbray”.
Level 2 Flag
At this point in a pentest, privilege escalation is the holy grail and enumeration is your closest friend. Our CTF participants followed some excellent best practices here – reviewing running services, checking for files with the suid bit set, running their own custom recon scripts, etc. Ultimately these are all very useful things.
Another very common vulnerability to enumerate for is unpatched Operating Systems. In this case, the server was running CentOS 7.1. That number may not look that old, with CentOS 7.2 being the current release as of this writing, however it of course only takes one vulnerability. Red Hat’s Automatic Bug Reporting Tool suffered from CVE-2015-5273 and CVE-2015-5287 late in 2015. The vulnerable code also made it’s way to CentOS and Fedora with proof of concept exploit code now in the wild. This POC is written in Python, so you don’t even need a compiler here.
In the screenshot below, you can see the enumeration of the OS version, download and execution of the exploit, and discovery of flag 2! Inside of flag2 is our second flag secret, “Bubba”.
An interesting note about this exploit is that the default RHEL/CentOS targeted SELinux policy blocks it from working when SELinux is enforcing. Sadly, while SELinux is enforcing by default in RHEL/CentOS, many cloud images such as this one from Rackspace actually default to permissive mode (SELinux enforcement disabled). This is a perfect example of why you need to always use good SELinux policy on production systems! In most cases you cannot control the coding of applications, but SELinux sure helps a ton in limiting what attackers can do from vulnerable applications on your system.
So that is how we saw the CTF going down. As it turned out, the winning contestants all ended up submitting from the same vulnerabilities, but all took different approaches to finding them. It was very enlightening for us to review the approaches. Some contestants spent hours on it and told us they got to learn a ton through the hands-on exercise, which is fantastic! In the end, we gave away 5x YubiKey4 sticks for flag 1 within the first 38 minutes and 3x WiFi Pineapple Nanos for flag 2 within the first 15 hours.
Thanks to everyone who stopped by our booth at BSidesCharm 2016, see you there next year!