Every year Cyber Security Challenge UK run a “Face 2 Face” cybersecurity event, this year is the last one they will ever run. To get to this you have to complete the 2 qualifiers. I qualified with 2 out of 3 flags on the first qualifier, I don’t know what I got on the second one. Both qualifiers were 8 hours long, for q1 you had to find 3 flags on a webserver, for q2 you had to solve a series of forensics challenges. Even though I feel like I did worse on q2, I gained a lot of experience from every flag of q1.

Rabbit Holes

Everyone in infosec talks about going down rabbit holes on challenges, this was definitely not the first time I’ve done this but I’ve never wasted so much time going down a rabbit hole. The first vulnerability I found in the website was SQL injection and I quickly realised almost every input was injectable. I spent at least 3 hours playing with the SQL injection vulnerabilities to try and get the first flag. I became completely blind to the other vulnerabilities on the website. I tried almost everything related to SQL trying to get this flag. At one point, I spent half an hour trying to crack the admin password even though I could just make my account admin. I even tried to read the file using SQL even though it was obvious I needed a shell because flags 2 and 3 would be impossible without one. After finally accepting that SQL injection wasn’t going to get me anywhere, I came across the file upload vulnerability and proceeded to spend half an hour trying to make a polyglot file that was a valid png and php file to upload a shell through the file upload form, I eventually realised I could just upload the shell through the remote file upload.

Shells

I made two main mistakes with shells, both wasted a lot of time. My first mistake was trying to use fancy web shells. Shells with loads of features are pretty cool but they’re not always compatible with the server and unless you have a reason for needing them, they’re just a waste of time. You ideally want to get a TTY and as far as I’m aware, that’s pretty much impossible with a web shell. I could have accomplished exactly the same in a lot less time by using a shell that’s one line of code and starting netcat with it. The other mistake I made was trying too hard to get a reverse shell started. Each player for the qualifier was accessing the website hosted on a virtual machine, there was no way ports other than 80 and 443 would be accessible to the outside world, this means a reverse shell cannot work. I spent a long time playing with netcat and other ways of spawning a reverse shell but it was all a waste of time. A bind shell is just as functional and in this case, much easier. I could have got a TTY shell a lot sooner if I didn’t waste so much time on fancy web shells and reverse shells.

Statically Linked Binaries

This wasn’t a mistake, rather something I discovered during the qualifier. I knew I wanted a TTY shell over netcat but on the server, but netcat couldn’t be executed by non root users. I could have used /dev/tcp but that didn’t occur to me at the time. I ended up wgetting a statically linked version of ncat(like netcat but a bit cooler) which allowed me to get a reverse shell. Flag 3 was achieved by listening on port 1337(if I remember correctly), even though I wasn’t aware of that when I downloaded it, having statically linked ncat made flag 3 much easier, especially because I never actually got root.

Keep It Simple, Stupid

After I had the user flag, I needed to get root. This was around the time that the dirty sock exploit had just been released so I was hoping for that to work but it had been patched. Then I downloaded Linux Exploit Suggester and ran that, there were no root exploits available. I started going through gotm1lk’s checklist for privilege escalation, this didn’t really get me anywhere but I spent way too much time on it. I also ran LinEnum and spent quite a bit of time going through that output, and again, found nothing. I was close to running out of time and I was getting desperate, I was trying everything I could think of. In an effort to find literally anything that could help me get root, I checked access logs and saw the “calling you on 1337” which prompted me to get the 3rd flag using the ncat binary I’d downloaded. I kept trying everything I could think of to get root, I probably tried everything two or three times but didn’t get root. After the 8 hour time limit expired, I asked someone who had got root what the solution was and found out the sudo account’s password was the same as it’s username.

Leave a Comment

Your email address will not be published. Required fields are marked *