Quartz 4

HTB - Socrates Panel

2 min read

🚩 HTB - Socrates Panel

Executive Summary

  • OS: Linux
  • Key Technique:
  • Status: Complete

Reconnaissance

Configurations

center

The Dockerfile reveals that the admin password is randomly generated and is stored inside the /app/config.py file, likely this is the file that the whole challenge use to authenticate the admin.

The flag is stored inside the /flag.txt.

There are three main services running inside the container, the first on is the CDN service, acting like a Cache Proxy, the second is the redis database, used to store the cached response, the the final one is the main application.

center

I decide to take a look inside the simpliest structure, that is the redis and the CDN service (since each of them containing two relatively short files).

Redis Database

center

From the init file of the database, we can see that every time the container is created, the copied flag inside /flag.txt will be transferred into the Redis database under the key FLAG, the flag.txt file will then be removed from the filesystem.

center

This is the configuration of the Redis database, seems pretty normal, however, the problem is that the database does not have any requirepass, there is no password, and the database trusts any connection originate from the inside the of the system, it seems like this is a SSRF challenge that requires us to make request to this database and exfiltrate the flag from there.

CDN Service

center

Overall, the CDN service is secure, however, the problem is the CDN only cache using the path as the key. Normally, a secured cache proxy would use a much more complex set of caching keys to make sure that no two users may accidentally read each other’s cached data.

Web Application

center

The web application is

Web Enumeration

  • Technologies: (Apache, PHP, etc.)

  • Fuzzing Results:

    • /admin (403)

    • /images (200)

Foothold (User)

Path: <% tp.file.cursor(1) %>

Step 1: Discovery

(What did you find?)

Step 2: Exploitation

(The exact payload or exploit used).

πŸ‡ Rabbit Hole I spent time trying to brute force SSH.

  • Correction: Always check for id_rsa keys in web directories first.

Privilege Escalation (Root)

Current User: www-data

Enumeration

  • LinPeas Findings: Vulnerable Sudo version

Exploitation

Bash

# Commands to get root

Loot & Flags

  • User Flag: hash_here

  • Root Flag: hash_here

  • Credentials:

    • user:password

References: Link

Graph View

Backlinks