notes (2197B)
1key on the server for token is actually replaced with 2"https://en.wikipedia.org/wiki/Security_through_obscurity"[:32] 3 4for the second part, the tag is "Windows". we can assume we need 5to atleast run the exploit from windows.. why? 6=> the only thing we dont have access to in the websockettunnel is 7the handshake.. we will probably want to manipulate that 8or (more likely) make the guacd connect to a new service on 9the windows vm we expose that sends malicious responses 10 11ideas: 12- make guac sftp connect to itself to read out /proc/XXX/environ as same user 13 => guacd container does not have ssh connection available 14 15flag1: 16- rdp protocol has a "get" instruction handler that allows file downloads 17 from a specified virtual "drive".. (basically just a folder) 18- on connection we enable the drive and set the drive-path to "/" 19- for that we add the following parameters: 20 - "enable-drive": true, 21 - "drive-name": "root", 22 - "drive-path": "/", 23 - "disable-download": false, 24 - "disable-upload": false, 25 - "create-drive-path": false 26- we can start the frontend against the remote session using: 27 sudo docker-compose run -p 3000:3000 -e SESSIONID=ea3ce824d8cdcd053eb90995 -e CHALLENGE_DOMAIN=challenge.cscg.live guac_frontend 28- this flag is basically just to understand the rough protocol 29- we request the input stream via "get" 30- the server sends a "body" response which signifies a new stream 31- server setups up ack handler to send "blob"s as long as there is data after every ack 32- we handle that body and send an ack to signify readyness 33- collect blobs as base64 and decode for flag 34- you should be able to get the flag by just navigating to the 35 virtual drive created by rdpdr (RDP Drive Redirection virtual channel) 36 created for the root path 37 38ideas: 39- this file reading/writing will probably be part of the vulnerability 40 41flag2: 42- for debug, make frontend connect to our own windows machine (while working on linux) 43- write to /proc/self/mem through rdpdr on windows side 44- written as python script that searches for rdp handler thread and 45 write rop chain to be activated on session close (pop rdi, "/opt/flagtool readflag > /tmp/flag", system, exit) 46- compile python script pyinstaller 47