• The first Luxembourgish CTF Team

Healthcheck 1 Writeup

  • By

Sep 2, 2022
  • Solves: teams
  • Source:

Health Check 1

Description

Want to know whether the challenge is down or it’s just your network down? Want to know who to send a message when you want to contact an admin of some challenges? Take a look at our “fastest” Health Check API in the world!

http://fastest-healthcheck.balsnctf.com

Warning: Do not violate our CTF rules.

Author: chiffoncake

Solution

Under the provided link, we just see a hello world message in json. Gobuster finds a /docs endpoint. Navigating to it reveals documentation about more endpoints:

So it seems we found a way to upload a zipfile containing a run executable. There is a process that executes it in a 30 second interval. The executable is expected to create a status.json file, where run is expected to store some results in. When uploading zip file, we receive the name it is stored under. Using the second endpoint, we can request the respective json of the commands we run from the uploaded zip.

So seems like we got command execution and a way of checking what our commands do. Let’s try it.

I am creating a shell script containing the command i want to run:

#!/bin/sh

touch ./status.json

pwd > ./status.json

  • Listing files in interesting directory with ls ../.. (note that flag1.py is interesting for us; flag2 is for a different challenge):

  • Taking a look at permissions with ls -la ../... Looks like we do not have read permission to the flag1.py script.

  • Since it is a script and theres a __pycache__ folder, maybe we can read the compiled version of the script instead of the script itself. Let’s see what’s in there with ls ../../__pycache__:

Finally, at 3:30 in the morning, 27 minutes before the CTF ended, I managed to get the flag with xxd ../../__pycache__/flag1.cpython-310.pyc:

BALSN{y37_4n0th3r_pYC4ch3_cHa1leN93???}

Reverse shell solution

I did not get a reverse shell solution working during the CTF unfortunately. The way I did it was very laborious, crafting each zip file seperately, uploading it and waiting for execution. Also for commands that resulted in an error, I did not get a result in the status.json at all, making my solution very tedious.

A reverse shell would have been the much better way. Some people on the BALSNCTF discord shared their solution. Here is a code snippet from a C script. When compiled as run and uploaded inside a zip, a reverse shell should be obtained. I tried it today where CTF is over, but I think they disabled the processes running the executables already.