cscg24-guacamole

CSCG 2024 Challenge 'Guacamole Mashup'
git clone https://git.sinitax.com/sinitax/cscg24-guacamole
Log | Files | Refs | sfeed.txt

notes (2197B)

      1key on the server for token is actually replaced with
      2"https://en.wikipedia.org/wiki/Security_through_obscurity"[:32]
      3
      4for the second part, the tag is "Windows". we can assume we need
      5to atleast run the exploit from windows.. why?
      6=> the only thing we dont have access to in the websockettunnel is
      7the handshake.. we will probably want to manipulate that
      8or (more likely) make the guacd connect to a new service on
      9the windows vm we expose that sends malicious responses
     10
     11ideas:
     12- make guac sftp connect to itself to read out /proc/XXX/environ as same user
     13 => guacd container does not have ssh connection available
     14
     15flag1:
     16- rdp protocol has a "get" instruction handler that allows file downloads
     17 from a specified virtual "drive".. (basically just a folder)
     18- on connection we enable the drive and set the drive-path to "/"
     19- for that we add the following parameters:
     20	- "enable-drive": true,
     21	- "drive-name": "root",
     22	- "drive-path": "/",
     23	- "disable-download": false,
     24	- "disable-upload": false,
     25	- "create-drive-path": false
     26- we can start the frontend against the remote session using:
     27  sudo docker-compose run -p 3000:3000 -e SESSIONID=ea3ce824d8cdcd053eb90995 -e CHALLENGE_DOMAIN=challenge.cscg.live guac_frontend
     28- this flag is basically just to understand the rough protocol
     29- we request the input stream via "get"
     30- the server sends a "body" response which signifies a new stream
     31- server setups up ack handler to send "blob"s as long as there is data after every ack
     32- we handle that body and send an ack to signify readyness
     33- collect blobs as base64 and decode for flag
     34- you should be able to get the flag by just navigating to the
     35  virtual drive created by rdpdr (RDP Drive Redirection virtual channel)
     36  created for the root path
     37
     38ideas:
     39- this file reading/writing will probably be part of the vulnerability
     40
     41flag2:
     42- for debug, make frontend connect to our own windows machine (while working on linux)
     43- write to /proc/self/mem through rdpdr on windows side
     44- written as python script that searches for rdp handler thread and
     45  write rop chain to be activated on session close (pop rdi, "/opt/flagtool readflag > /tmp/flag", system, exit)
     46- compile python script pyinstaller
     47