c0c0n XI DomeCTF Writeup — India — Team RedX!!


Challenge — India:

Get inside the Bakery! https://bakery.domectf.in/

Note: This is Base. Try to write your (only) team name in the file /tmp/DOMECTF_BASE. It’s your skill to protect the base file from others.

nc 142.93.218.213 12345

How we solved?

This is the first time I am playing a CTF a challenge like this. This is a kind of challenge named “Bases” and there is no flag for this!!

We got the following rule regarding Bases:

“Bases are problems that are part of the “King of the hill” type of games. Bases represent a system that has to be compromised and whoever takes it gets a number of points, the first time. In addition to that, it also rewards control points based on time. It will get one point per five minutes. Also, please note that the base score file will reset in every hour”

We guessed the following things after reading the challenge:

  1. What we have to do is write our name to the file /tmp/DOMECTF_BASE.
  2. The path /tmp/DOMECTF_BASE looks like internal path
  3. The path http://142.93.218.213:12345 will show our team name if we succeeded (this information is already provided)
  4. Looks like we need to get a reverse shell or at least a possibility to execute commands on server for writing the file DOMECTF_BASE

We should be able to execute commands on this server to write files. For that we need to find any vulnerabilities like file upload, RFI, LFI etc. Browsing through the website https://bakery.domectf.in/, We didn’t find any. The website is a plain html template (does not appear any server side scripts are used). There should be some other hidden page or directory which may net be a part of the main site. So we started spidering using Burp. Instantly we notified a special URL https://bakery.domectf.in/DARTONEC/login.php

Great, a login page. Started guessing password. Luckily password “password” worked. It was SQL Buddy (Web based MySQL administration) and we got access to its Buddy Home Page. Happy, we reached somewhere in the middle of this challenge.

We made a quick search in Google for SQL Buddy vulnerabilities. The first one was SQL Buddy 1.3.3 — Remote Code Execution. We had not checked the version of SQL Buddy, but anyway we planned to try the steps mentioned in that page.

We did the following steps as mentioned in Exploit DB:

  1. Use a sql server you control and have a valid credentials for (You canuse one of the free mysql hosting services).
  2. Create a database and a table with one column of type text.
  3. Insert the php code you want to execute into that table.
  4. Choose the previously created table from the left menu.
  5. Click Export from the top menu.
  6. Choose CSV format.
  7. Choose “Text File” and name the file with php extension for example shell.php.

Awesome it worked! Accessing “Download” link gave us the php web shell. We wrote our team name RedX using echo command

That was success, we got our team name displayed in http://142.93.218.213:12345/

So the challenge is completed right? Not really. We need to keep our team name in the file atleast 5min inorder to get updated the score in scoreboard. There were already one team compromised this base and they are writing this file with their team name. They could develop a script to write this file every second or a fraction of second. Somehow we got this challenge, we made our name to be in the file for 5min and the scoreboard updated. We got point!

The challenge is not still completed. The file should always contain our team name RedX to get additional points. Whoever makes their team name written in the file for long long, they will get more points. Creating a custom script is an idea. Anyway we did not try to make scrip for this. It was midnight and we were sleepy. :P Instead, we used Burp intruder to make request. This could definitely make an attack in DoS point of view, especially when multiple teams try. We left the Burp Intruder running in a Google cloud instance (Google cloud was my favorite platform where I can easily create and manage instances: D).

This was one of the cool CTF I ever played, with lot of challenges from different areas like web, network, forensics etc. I can never stop here without mentioning my teammate Sreelakshmy, her knowledge and skill is an unavoidable factor in winning as a team RedX. And also thanks AppFabs for organizing this CTF and our hearty congrats to the team RedRaptor who was one of our major competitor ended in 2nd position.