SherpaCTF - Oren (User)

25 Nov, 2024

hiya all! i participated in SherpaCTF with my very brilliant friends last weekend in Team Philanthropy. we had quite fun for our first overnight ctf and i hope everyone else who participated did too!

here is a writeup one of the challenges i managed to complete, Oren

as port 80 has nothing, we'll check out the web server hosted on 8080

a dirbuster scan will show a login on /admin.php

this is intended to be an unexploitable rabbit hole, a few other things give clue to how to get user root:

1. the title - oren, is i believe in reference to a well known security researcher who found CVE-2024-4577 - a bypass to the earlier fix in CVE-2012-1823.

2. phpinfo - the php version is stated here and you can use this to find the exploit mentioned.

then - all that's left is to exploit it

inside, there's an encryptedPassword.bin, a ps1 script to decrypt it and a user.zip. self-explanatory - use the .ps1 script to get the key and decrypt and unzip and bam user flag!

FOR ROOT, the intended solution i believe is to use the credentials found in admin.php after obtaining user and then use it to perform external exploitation of the AD environment there is also an unintended solution of printspoofer

thanks for reading!