"Very personal portefolio" (yup, portefolio was written like that) was a 100-point Web challenge at Nuit Du Hack 2018.
Because we can't access the platform anymore, this challenge shall remain without description for now.
Note: this writeup will most likely be updated with more details once the platform is online again.
We are provided with a url to a website. Since the platform has been taken down for now, this writeup will try to be as accurate as possible, but may lack some visual material.
The page opens to a static HTML page using exactly this template I believe. When looking at the source, we can observe a commented line that contains the URL
By searching for interesting files in the ~francois directory, we figure out that the folder is most likely a symlink to a home folder by stumbling upon a .bashrc file (with is very uninteresting) and a .bash_history file (which is very interesting).
The file contains a lot of different commands, some of them creating or opening files, but most of them do not work. At the end of the file are some lines where it seems that François (the likely name of the user) is trying to connect to a MySQL database, that look like that:
mysql --user ierg457srg76fgyg --password francois verypersonalportefolio.wargame.rocks mysql -user francois -password aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1kUXc0dzlXZ1hjUQ verypersonalportefolio.wargame.rocks mysql -user aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1kUXc0dzlXZ1hjUQ -password francois verypersonalportefolio.wargame.rocks ...
So, it seems like François is not quite sure how to connect to his MySQL database. First things first, we run
nmap on the target:
~$ nmap verypersonalportefolio.wargame.rocks Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-30 22:35 CEST Nmap scan report for verypersonalportefolio.wargame.rocks (192.168.165.14) Host is up (0.01s latency). Not shown: 998 closed ports PORT STATE SERVICE 80/tcp open http 3306/tcp open mysql Nmap done: 1 IP address (1 host up) scanned in 0.7 seconds
Bingpot! We can access MySQL from outside the server.
Connecting to the database
Now, all that's left is to figure out how to connect to the database (i.e. what are the right credentials?). We try all the possible permutations
ierg457srg76fgyg / francois ierg457srg76fgyg / aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g francois / ierg457srg76fgyg francois / aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g / ierg457srg76fgyg aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g / francois
but nothing seems to work… until we figure out that François is so bad at typing commands, that he sometimes writes
-password instead of
--password, which is like passing the password assword to the command.
With this in mind, we try some more and figure out the correct credentials:
~$ mysql --user ierg457srg76fgyg -password -h verypersonalportefolio.wargame.rocks
Now that we're connected to the database, it's just a matter of retrieving the flag:
mysql> show databases; +----------- | Database | +----------- | NDH_2018 | +----------+ 1 row in set (0.00 sec) mysql> use NDH_2018; mysql> show tables; +--------------------+ | Tables_in_NDH_2018 | +--------------------+ | NDH | +--------------------+ 1 row in set (0.00 sec) > select * from NDH; # And here we get some flag: ndh16_thisisarandomflagidonthavetherightone
There was nothing too impressive about this challenge, but it reminds us that we have to be painfully detail-oriented when analyzing a luser's command history! Overall, it was a fun warm up!