InfoSec Blog - Our Capture the Flag Experience - Part 2
December 9, 2019
And now for the exciting conclusion to our 2 part blog on our capture the flag experience. If you missed the first part, you can read it here - https://www.uoguelph.ca/ccs/ctfpart1
We are now at the point where we can log into the Sentrifugo 3.2 system as Bob. Bob has higher privileges on the system than Chuck. We noticed that this account is able to upload files onto the server. A PoC exploit code is publicly available at https://www.exploit-db.com/exploits/47323 to exploit a File Upload Restriction Bypass (CVE 2019-15813) vulnerability on this version of application. Following the instruction, a php reverse shell file was created with msfvenom command and uploaded onto the server. After clicked on the uploaded shell.php file from the browser on the attacker machine, a reverse shell has popped up. We’ve successfully got a system access on the remote server!!!
On the attacker machine, the attacker gains shell access on the server by visiting the uploaded shell.php page:
After clicking on the shell.php web page from attacker machine , a reverse shell popped up.
Bingo!!!! We now can browse files on the remote server .An interesting file caught our eyes under /home/jenny folder:
We then downloaded the desktop_backup.zip file onto the attacker machine and upon opening it we can see there is a password.txt file:
We then tried the SSH credentials for the account named 'jenny' and it works!!!
We have successfully exploited two software vulnerabilities of Sentrifugo application to compromise the hosting server.
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CWE-434: Unrestricted Upload of File with Dangerous Type
These two vulnerabilities are on the list of the 25 most dangerous software vulnerabilities recently updated by U.S. Department of Homeland Security’s Homeland Security Systems Engineering and Development Institute (HSSEDI) found here - https://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html
Key lessons learned from our experience from this part:
- Keep all your system and applications up to date
- Always save passwords in a safe location
- Encrypt your password file if needed.
More information on protecting your passwords can be found at:
Written by: Hanna Guan (Cyber Security Analyst, Information Security)