ECW 2018 - Web - SysIA

ECW 2018 is a French Jeopardy challenge organized by the PEC (French Pôle d’Excellence Cyber) in partnership with the Bretagne county, Airbus and Thales. SysIA is a challenge based on a LFI (Local File Inclusion) exploitation using the bash_history and the updatedb tool to find the flag.

From 06/10 to 21/10 2018, it will be used as a pre-selection for the final Capture The Flag event, which will start on 21 November 2018 at the the European Cyber Week conference in Rennes.

Discovery

The challenge starts with the following statement:

Our young sysadmin IA still does some human errors.
I guess it still has to learn before production.
But we can't afford to delay it another time !

A first information is also given by organizers: “An easy good old PHP challenge;)” allows us to close some possibilities right now.

So we land on a website talking about “deep learning”.

ECW2018_sysia_1

After some navigation on different pages, which seem to be only vitrine pages, I checked the “robots.txt” file and found something suspicious…

ECW2018_sysia_2

Ok, let’s go to the non-indexed page. Here is it :

ECW2018_sysia_3

The experience and indications left by organizers show us a way… It smells like LFI !

LFI - Exploitation

Like any good POC, we will try to prove the presence of a Local File Inclusion (LFI) vulnerability by displaying the contents of the “/etc/passwd” file which is normally readable.

https://web075-sysia.challenge-ecw.fr/notinterestingfile.php?page=../../../../etc/passwd

ECW2018_sysia_4

Bingo! We have a nice LFI. Now…. What are we looking for? It is possible to read some files on the server, so we will try to get as much information as possible. After a few tests, we’re going to check the file containing the history of commands executed by the user, the “bash_history” file, which can contain valuable information. As long as we are in a docker, we’re going to go look the file for the root user.

https://web075-sysia.challenge-ecw.fr/notinterestingfile.php?page=../../../../root/bash_history

ECW2018_sysia_5

In order to be able to read the file content, we go directly to the page sources. After a quick look at the file content, we notice the presence of a sequence of 3 interesting commands:

  • locate flag.txt
  • updatedb
  • locate flag.txt

ECW2018_sysia_6

A little thing I didn’t know, the “updatedb” tool allows you to update the known paths database used by locate. Thus, after some research, we learn that the content of this database is stored in the file “/var/lib/mlocate/mlocate.db”. Therefore… We should find the path to the flag.txt file. In order to avoid manual search, we will search directly for the “ECW” string.

https://web075-sysia.challenge-ecw.fr/notinterestingfile.php?page=../../../../var/lib/mlocate/mlocate.db

ECW2018_sysia_7

Bingo, we have a path !

Getting the flag

We can directly read the content of the flag.txt file through our LFI, and then get the flag of the challenge.

https://web075-sysia.challenge-ecw.fr/notinterestingfile.php?page=../../../../var/www/ECW/solution/web/lfi/flag.txt

ECW2018_sysia_8

In the end, a fairly simple challenge presenting a LFI without any restrictions but having the advantage of integrating a slightly more realistic exploitation. Cool one! :)

References

ECW 2017 - Web - Path Through ECW 2018 - Web - Troll.JSP