Cover Illustration source https://www.pixiv.net/en/artworks/112523817
Hello all, so i just decide to start blogging again but i don’t know what to write in this blog. So i just rewrite my old blog post into english with some adjustment and revision. :D
Back in 2022 i participated alone in HTB Bussiness CTF just for fun because i curious with their Cloud category and it’s only 2 challenge in that category, lol.
Let’s start with first challenge called Trade, here the challenge description:
With increasing breaches there has been equal increased demand for exploits and compromised hosts. Dark APT group has released an online store to sell such digital equipment. Being part of defense operations can you help disrupting their service ?
Anyway before start to solving the challenge as a context, to access the challenge i need to connect vpn that HTB platform provided. That’s why the AWS endpoint here kinda different that usual one. I assumed they deploy AWS-like services using tools called localstack in their own server.
This challenge only give us an IP address which service running without any further explanation what kind of service are running. So, my first step is running Nmap to scan the IP address to know what services are running and in which port.
As we can see there is 3 ports open with 3 different services running, ssh server,http server and subversion
Let’s dig dive each services running.
1. Port 80 - Web server
Open the given Ip address in the browser then we got this login page, just usual login page nothing special
2. Port 3690 - Subversion
Next, access to subversion using svn client. Fyi, subversion is version control system just like git which is tools that usually use to control our code in repository. So, the idea here maybe we can dump the code that running in http server to get some credentials.
First, we list the repository that available in subversion then we clone the repository to our local. We found /store repository then clone to our local. We got 3 files README.md, dynamo.py and sns.py
In dynamo.py file there is hard-code username and password to store in dynamodb, i assume we can use this credentials to login to login page we found earlier.
So, i tried to login using the credentials i just found it works. But, there is another authentication that ask for our OTP.
Well, there is another file called sns.py but nothing interesting there. But, since it is stored in version control system maybe we can found something interesting in previous version. Check logs of the repository we found there is several modification, then try to revert one by one to check previous code version.
When back to revision 2, there is hard-code AWS access and secret key.
So, using those keys we can auth to AWS-like services. To setup i just need to add hostname cloud.htb with challenge IP address in /etc/hosts then use cloud.htb as our endpoint-url. Then try to list what topics that available in our account.
Well, there is only 1 topic called otp. We need to subscribe to otp topic so we can continue our login. Since the service are running inside HTB network easiest way to subscribe is using http endpoint.
The setup is simple, we just need to open port 80 in our vpn IP address in this case i’m using nc command so i can see raw http request. After setup done, i just subscribe the otp topic using command below:
Then, try to login again and wait the otp hit our http endopoint, get the otp code and continue our login.
Here the website appearance after we success login.
After explore a while, i found search page that we can receive some input string. After some trial i got an error message that reveal some information while i input ”.
Look like this input handled directly to dynamodb. So, i just googled for maybe some dynamodb injection or something to dump some information from db.
Well, found that we can do some injection to dump all data inside dynamodb and here the input i use to dump all data.
So, we can see all data inside the database. But i still have no idea what these credential used for.
After a while i guess it is credentials to access the machine directly using ssh since it is the only services we not touching yet.
Finally, when i ssh using username mario the authentication success then i just need to read flag.txt file. Yeaaay first challenge solved!!!
Reference: