HTB Skyfall CTF Writeup

Executive Summary

Overview

The pentest conducted on Skyfall CTF's infrastructure revealed several critical vulnerabilities that could potentially allow unauthorized access to sensitive information and system control. The primary target of the assessment was the network segment with the IP address 10.10.11.254, hosting various services and virtual hosts including skyfall.htb and demo.skyfall.htb. The vulnerabilities identified ranged from information disclosure to vertical privilege escalation, with varying degrees of severity.

Key Findings

1. Security Bypass & Information Disclosure

A security bypass was identified in the demo.skyfall.htb domain, allowing unauthorized access to restricted endpoints and leading to sensitive information disclosure. This was achieved by exploiting guest credentials and manipulating URL parameters. The severity of this vulnerability is considered elevated, and it highlights the need for robust authentication and authorization mechanisms.

2. Critical Vulnerability in MinIO

A critical information disclosure vulnerability (CVE-2023-28432) was found in the MinIO storage service used by demo.skyfall.htb, allowing the exposure of sensitive environment variables including administrative credentials. The impact of this vulnerability is high due to the potential for comprehensive data compromise.

3. Initial Access via SSH and OTP

By exploiting the aforementioned vulnerabilities, attackers could gain initial access to the system through SSH, using sensitive information obtained from the MinIO service. This access was facilitated by the extraction and use of SSH keys and tokens related to the Hashicorp Vault service, indicating an elevated level of severity.

4. Vertical Privilege Escalation through Race Condition

A critical race condition vulnerability was exploited, allowing unauthorized elevation of privileges from the askyy user to root. This was achieved by manipulating file permissions and exploiting a script intended for administrative use. The exploitation of this vulnerability represents a significant security risk, with the potential for full system compromise.

Recommendations

Immediate actions should be taken to mitigate the identified vulnerabilities. This includes updating the MinIO service to a non-vulnerable version, implementing stronger access controls and authentication mechanisms, and reviewing and hardening all scripts and services running with elevated privileges. Regular security audits and assessments are also recommended to identify and mitigate future vulnerabilities.

Summary

The pentest of Skyfall CTF's infrastructure uncovered significant vulnerabilities that pose a substantial risk to the confidentiality, integrity, and availability of the system and its data. Addressing these vulnerabilities is crucial to securing the infrastructure against potential threats and ensuring the protection of sensitive information.

Initial Target - 10.10.11.254

Virtual Hosts: skyfall.htb demo.skyfall.htb prd23-s3-backend.skyfall.htb prd23-vault-internal.skyfall.htb

Service Enumeration

IP AddressPorts Open
10.10.11.254TCP: 22 (OpenSSH 8.9p1 Ubuntu 3ubuntu0.6), 80 (nginx 1.18.0 Ubuntu)

Target: Web Server (port 80/tcp)

HTB Skyfall CTF main website page
Fig. 01: Skyfall's main website page

BS01: Security Bypass & Information Disclosure

Overview: During the security assessment of the demo.skyfall.htb domain, a vulnerability was identified, which allowed unauthorized users to bypass security mechanisms and access restricted information. This vulnerability, designated as BS01, revolves around the exploitation of improper access control mechanisms and highlights significant oversights in the security configuration of the web application.

Detailed Description: The vulnerability was discovered in the context of the web application hosted at demo.skyfall.htb. By leveraging guest credentials (guest:guest), an attacker can access sensitive information that should otherwise be restricted. The core of this security flaw lies in the web application's failure to properly enforce access controls, allowing authenticated users to retrieve information beyond their privilege level.

The exploitation process involves manipulating the URL to access the /metrics endpoint directly, despite the web server ostensibly denying such requests. By appending a Line Feed character (%0a) to the URL (http://demo.skyfall.htb/metrics%0a), attackers can circumvent the server's access controls. This bypass technique exploits the web server's handling of special characters in URLs, resulting in an elevation of access privileges.

Impact: The severity of this vulnerability is elevated due to the potential for unauthorized disclosure of sensitive information. The ability for an attacker to bypass security mechanisms not only compromises the integrity of the application's data but also undermines user trust and the foundational security principles of the system.

Recommendations: Ensure that the web application enforces strict access controls that validate user privileges before granting access to sensitive information. Also, implement rigorous input validation and sanitization measures to prevent manipulation of URLs and other inputs that can lead to security bypasses.

Steps to Reproduce:

  1. Authenticate on the demo.skyfall.htb web application using the guest credentials (guest:guest).
  2. Navigate to the /metrics endpoint and modify the request URL by appending a Line Feed character (%0a).
  3. Observe the unauthorized access to restricted information, highlighting the security bypass.
HTB Skyfall CTF demo login page
Fig. 02: Skyfall's demo page login form
HTB Skyfall CTF demo dashboard
Fig. 03: Skyfall's demo dashboard
HTB Skyfall CTF sensitive information disclosure via security bypass
Fig. 04: Metrics information via security bypass

BS02: CVE-2023-28432

Overview: An identified vulnerability in MinIO's distributed deployment versions from RELEASE.2019-12-17T23-16-33Z up to and excluding RELEASE.2023-03-20T20-16-18Z exposes sensitive information, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD. This vulnerability results from the system's improper handling of environment variables, which can be accessed by unauthorized users. It affects all users utilizing MinIO in a distributed deployment environment.

Detailed Description: The vulnerability centers on the cluster deployment configuration of MinIO, a popular high-performance, distributed object storage system. Specifically, it pertains to the way MinIO manages and secures environment variables critical to its operation and security. When exploiting this vulnerability, attackers can retrieve all environment variables of the MinIO instance, including highly sensitive information like MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD. This flaw poses a security risk as it leads to sensitive information disclosure, providing attackers with the means to gain unauthorized access to the storage system and potentially compromise stored data.

The exploitation process is straightforward and involves initially leveraging another identified vulnerability, BS01, to discover the back-end internal virtual host name (prd23-s3-backend.skyfall.htb). Following this, an attacker can execute a POST request aimed at this internal vhost. This request is designed to interact with MinIO's bootstrap verification endpoint, which, due to the vulnerability, improperly exposes environment variables. This action results in the disclosure of critical administrative credentials, which can be used to gain full access to the MinIO storage system.

Impact: The severity of CVE-2023-28432 is considered high due to its potential to disclose highly sensitive information, undermining the confidentiality and integrity of the affected systems. The exposure of administrative credentials through this vulnerability can lead to unauthorized access, data manipulation, or even complete system compromise, posing significant risks to organizational security.

Recommendations: Immediately upgrade all MinIO cluster deployments to the latest release version that addresses this vulnerability (RELEASE.2023-03-20T20-16-18Z or later). Additionally, it is crucial to review and implement strict access control policies to limit exposure of sensitive endpoints and to audit environment variable handling to ensure sensitive information is appropriately protected. Employing network segmentation can also reduce the risk by limiting the access scope to critical infrastructure components.

Steps to Reproduce:

  1. Exploit BS01 to uncover the back-end internal vhost (prd23-s3-backend.skyfall.htb).
  2. Execute a POST request to the MinIO instance's bootstrap verification endpoint: curl -X POST http://prd23-s3-backend.skyfall.htb/minio/bootstrap/v1/verify. This request exposes sensitive environment variables, including the administrative credentials: 5GrE1B2YGGyZzNHZaIww:GkpjkmiVmpFuL2d3oRx0, thereby confirming the vulnerability.

Additional Insights:

More information on the matter can be found here.

Fortunately, in this case, it isn't possible to update the MinIO instance and replace the original binary with the "evil_minio" described in the article. The following error message is shown when we try to do so: mc: Unable to update the server. The specified method is not allowed against this resource.

HTB Skyfall CTF environment variables leakage for MinIO
Fig.05: Environment variables leakage

Initial Access

BS03: SSH Session via OTP

Overview: Exploiting the vulnerability described in BS02 allows attackers to obtain critical administrative credentials for the MinIO instance. This breach enables unauthorized access to sensitive backups, including SSH keys and Hashicorp Vault tokens belonging to a user named askyy. The exposure of these elements significantly increases the risk of further unauthorized access, not only to the MinIO storage system but also to other critical infrastructure components through SSH and Hashicorp Vault.

Detailed Description: Following the administrative access gained from exploiting BS02, attackers can use the mc client to interact with the MinIO instance and extract backups containing highly sensitive information. One such backup includes SSH keys and tokens for Hashicorp Vault, a tool used for secrets management. Although the SSH keys from the initial backup version were ineffective, subsequent analysis revealed crucial information within the .bashrc file of a later version. This information provided access details to a Hashicorp Vault instance, including the API address and a valid access token.

The ability to access Hashicorp Vault using these tokens allows attackers to potentially retrieve additional secrets, such as credentials, API keys, or even database passwords, stored within the Vault. This access further elevates the attacker's capacity to compromise systems, escalate privileges, or conduct further attacks against the internal network infrastructure.

Impact: The severity of BS03 is considered elevated due to the layered impact of this vulnerability. Initial unauthorized access to administrative credentials leads to further exploitation possibilities, including SSH access and manipulation of Vault secrets. The compromise of these systems can lead to a broad spectrum of adverse outcomes, from data theft to the complete subversion of affected systems.

Recommendations:

  • Immediately revoke the exposed SSH keys and Vault tokens, preventing their use for unauthorized access.
  • Upgrade MinIO instances to secure versions as recommended in BS02 to prevent initial unauthorized access.
  • Conduct a comprehensive security review of all backup and storage practices to ensure sensitive information, such as SSH keys and Vault tokens, is encrypted and securely stored.
  • Educate staff on the importance of secure backup practices and the potential risks associated with storing sensitive information in insecure formats.

Steps to Reproduce:

  1. Install the mc client.
  2. Add an alias to the client using the credentials discovered in BS02: mc alias set skyfall http://prd23-s3-backend.skyfall.htb 5GrE1B2YGGyZzNHZaIww GkpjkmiVmpFuL2d3oRx0
  3. List all files in the storage system recursively: mc ls --recursive --versions skyfall
  4. Download the specified version of askyy's home backup, containing the crucial .bashrc file: mc cp skyfall/askyy/home_backup.tar.gz ./backup.tar.gz --version-id=2b75346d-2a47-4203-ab09-3c9f878466b8
  5. Extract the backup to find the .bashrc file with Vault details: tar -xf home_backup.tar.gz
  6. Set up the environment variables with Vault details as found in .bashrc: export VAULT_API_ADDR="http://prd23-vault-internal.skyfall.htb" and export VAULT_TOKEN="hvs.CAESIJlU9JMYEhOPYv4igdhm9PnZDrabYTobQ4Ymnlq1qY-LGh4KHGh2cy43OVRNMnZhakZDRlZGdGVzN09xYkxTQVE"
  7. List the available vault keys: vault list -address=$VAULT_API_ADDR ssh/roles
  8. To log in as askyy, run the following command: vault ssh -address=$VAULT_API_ADDR -role dev_otp_key_role -mode OTP [email protected] and follow the instructions printed in the terminal.
HTB Skyfall CTF listing all available files in the MinIO instance
Fig. 06: Listing all files available in the MinIO instance
HTB Skyfall CTF vault token leakage
Fig. 07: Vault token leakage
Fig. 08: Foothold on Skyfall CTF as "askyy" user

Post-Exploitation

BS04: Vertical Privilege Escalation - Race Condition

Overview: A critical vulnerability has been identified that allows for vertical privilege escalation due to a race condition within the system. Specifically, the user askyy possesses the capability to execute the script /root/vault/vault-unseal. While this in itself does not constitute a direct security risk, a remote attacker with access to askyy's account can exploit a race condition vulnerability associated with this script. This exploitation enables the attacker to read sensitive data from a debug file generated during the script's execution. The information within this debug file can provide an attacker with the means to escalate privileges and gain root access via SSH.

Detailed Description: This vulnerability exploits the brief window of time during which sensitive data is written to and accessible within a debug file. By creating a race condition through simultaneous operations, an attacker can force the system into an unintended state where the debug file, intended to be securely handled, becomes readable by the askyy user. This file contains sensitive data, including a root vault token, which can be leveraged to authenticate as the root user through Hashicorp Vault's SSH capabilities.

The process involves initiating two SSH sessions with the askyy user credentials obtained from exploiting BS03. In one session, the attacker continuously creates a debug log file to exploit the race condition, while in the other, the attacker triggers the execution of the vault-unseal script. This coordination allows the attacker to access and read the debug file, extracting the root vault token and other sensitive information contained within.

Impact: The severity of this vulnerability is rated as extreme due to the direct pathway it provides for unauthorized privilege escalation to root access. This escalation allows an attacker to gain complete control over the system, posing a significant threat to the integrity, confidentiality, and availability of the system's resources and data.

Recommendations:

  • Apply strict permissions and access controls to critical scripts and files, ensuring they cannot be executed or accessed by unauthorized users.
  • Regularly audit and monitor system activities to detect and respond to unauthorized attempts to exploit race conditions or other vulnerabilities.
  • Employ real-time intrusion detection systems that can identify and alert on unusual activity patterns indicative of exploitation attempts.

Steps to Reproduce:

  1. Gain SSH access as askyy by following the steps outlined in BS03.
  2. In one SSH session, execute a loop that continuously creates a debug.log file in /home/askyy: while true; do touch debug.log; done.
  3. In a second SSH session, execute the vault-unseal script as root, ensuring that the debug file is generated in the same location: sudo /root/vault/vault-unseal -c /etc/vault-unseal.yaml -vd.
  4. Access the debug.log file, extracting the sensitive root vault token and other information.
  5. Export the token to your local machine: export VAULT_TOKEN=hvs.I0ewVsmaKU1SwVZAKR3T0mmG
  6. Use vault SSH to generate an OTP code and log in as root: vault ssh -address=$VAULT_API_ADDR -role admin_otp_key_role [email protected]
HTB Skyfall CTF debug information leakage
Fig. 09: Debug information leakage
Fig. 10: Root privilege escalation

Conclusion

We hope you have found our content on HTB Skyfall CTF useful and invite you to explore more of our website to discover other interesting topics we cover. From cybersecurity to programming, we strive to provide our readers with the latest and most relevant information that can help them stay informed and ahead of the curve. We are committed to providing the best user experience to you and are open to feedback and suggestions through our contact form. Thank you for choosing Behind Security, we hope to see you again soon! 

Behind Security main logo, cropped.

BEHIND SECURITY

Behind Security is an online platform dedicated to providing informative articles on cybersecurity, privacy, and programming.

Scroll to Top