After completing the previous Advent of Cyber challenge day, They Lost The Plan! Day 13 AoC3, this CTF challenge was pretty straight forward. In fact it was so short I wasn’t going to write it up, but then they’d be a gap in the Advent of Cyber writeup series.
This challenge was all about CI/CD:
CI: Continuous Integration is the process in which software source code is kept in a central repository (such as GitHub). All changes are stored in this central repository to avoid ending up with different versions of the same code.
CD: Continuous Delivery is the following (sometimes integral) step of the continuous integration model where code is automatically deployed to the test, pre-production, or production environments. CD is sometimes used as an acronym for “Continuous Deployment”. If you feel like the terms above don’t seem to have clear limits, you are right. CI, CD, and the other CD are all part of DevOps best practices that aim to make code delivery faster and more reliable.
CI/CD should be considered as a set of practices that are put in place to enable development teams to make changes, test their code, and deploy the application more reliably.
Although it told us the page we’d discover using a tool like dirbuster, I decided to fire up (my preference) gobuster for the sake of it:
$ gobuster dir -u 10.10.103.11 --wordlist /usr/share/wordlist/dirb/common.txt | tee gobuster.txt
=============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.103.11 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2021/12/17 03:40:49 Starting gobuster in directory enumeration mode =============================================================== /.hta (Status: 403) [Size: 277] /.htaccess (Status: 403) [Size: 277] /.htpasswd (Status: 403) [Size: 277] /admin (Status: 200) [Size: 363] /index.html (Status: 200) [Size: 169] /server-status (Status: 403) [Size: 277] /warez (Status: 200) [Size: 606] =============================================================== 2021/12/17 03:41:29 Finished ===============================================================
The admin page did indeed just host an iframe tag. Following the source of that leads us to a page called ls.html. Interesting. Odd name for a file – standard name for a Linux command.
Once logged in to the box, the user thegrinch had 4 scripts of interest. I could only access loot.sh:
Inside that file I saw it runs the ls command on the loot folder. Tt then piped the output to the web directory and into the webpage I saw previously.
As this file is owned by root, I took advantage of the poorly configured permission. I modified the script to output the contents of /etc/shadow, piping that to the same directory.
I modified the file so it read:
After navigating to the web directory, the shadow file was already created.
This gave up the contents of the shadow file:
root:*:18561:0:99999:7::: daemon:*:18561:0:99999:7::: bin:*:18561:0:99999:7::: sys:*:18561:0:99999:7::: sync:*:18561:0:99999:7::: games:*:18561:0:99999:7::: man:*:18561:0:99999:7::: ... dnsmasq:*:18561:0:99999:7::: landscape:*:18561:0:99999:7::: sshd:*:18561:0:99999:7::: pollinate:*:18561:0:99999:7::: ubuntu:!:18942:0:99999:7::: thegrinch:XXXXXXXXA2$7YgS0mCSs8ROHgS/4VP1itLix.T7onR26n4gdHF... mcskidy:XXXXXXXXX1e$az/mXtNiOt9tMDb6lixDN3c1yH2GhcJVlAIWYB/W... pepper:XXXXXXXX2Y2$QYDESrTO9T517RDzR6cGXOANA/H4For7odahhn/DU...
We could use the same method to dump the flag from thegrinch’s desktop to the web directory, however I decided to just copy it to local temp:
And the flag we mine. Nice and simple bit of vulnerable CI-CD exploiting. Little bit of privilege esculation.
Day 14 of the Advent of Cyber challenge all wrapped up. Easy.