Musyoka Ian
6 min readAug 10, 2024

Defcon 32 Parrot CTF Walkthough

Hello guys welcome back to another walkthrough this time we are going to be tackling a machine called defcon 32 from parrot ctf. The machine by itself is easy but i have a few gaps that i need to research more on. We perform an nmap scan on the box and discover ports 2 that are open. On enumerating the web application we come across admin cookies which are stored in logs this leads to a privilege escalation. The admin has a capability to uploading XML file. This lead to XXE injection attack that gives us remote code execution on the application.

As always we begin by performing an nmap scan on the box. The command i used was

nmap -sC -sV -oA nmap/defcon32 -Pn 10.14.0.43

Below are the results of the nmap scan. We have two ports that are open namly SSH (Port 22) and HTTP (Port 80)

# Nmap 7.94SVN scan initiated Thu Aug  8 19:48:50 2024 as: nmap -sC -sV -oA nmap/defcon32 -Pn 10.14.0.43
Nmap scan report for 10.14.0.43
Host is up (0.21s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 b3:60:ce:73:13:29:d0:63:db:00:63:96:6f:61:c8:20 (RSA)
| 256 a7:19:ec:9f:e1:a2:2f:65:20:a4:15:81:54:ec:f0:18 (ECDSA)
|_ 256 dd:1a:0c:7b:c0:75:5e:96:31:b8:89:01:05:42:53:1e (ED25519)
3000/tcp open ppp?
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200 OK
| Vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch, Accept-Encoding
| x-nextjs-cache: HIT
| X-Powered-By: Next.js
| Cache-Control: s-maxage=31536000, stale-while-revalidate
| ETag: "d9xxu2eeotq1r"
| Content-Type: text/html; charset=utf-8
| Content-Length: 33775
| Date: Thu, 08 Aug 2024 16:46:39 GMT
| Connection: close
| <!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" href="/_next/static/media/204a8b9dc791f619-s.p.woff2" as="font" crossorigin="" type="font/woff2"/><link rel="stylesheet" href="/_next/static/css/c995da64e387b0cf.css" data-precedence="next"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/webpack-90eb48aaae077c0b.js"/><script src="/_next/static/chunks/fd9d1056-8d42db6c53771e4c.js" async=""></script><script src="/_next/static/chunk
| HTTPOptions:
| HTTP/1.1 405 Method Not Allowed
| Vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch, Accept-Encoding
| Allow: GET
| Allow: HEAD
| Cache-Control: no-cache, no-store, max-age=0, must-revalidate
| X-Powered-By: Next.js
| ETag: "p7kg95thm01jl"
| Content-Type: text/html; charset=utf-8
| Content-Length: 2001
| Date: Thu, 08 Aug 2024 16:46:41 GMT
| Connection: close
| <!DOCTYPE html><html><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width"/><title>405: Method Not Allowed</title><meta name="next-head-count" content="3"/><noscript data-n-css=""></noscript><script defer="" nomodule="" src="/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js"></script><script src="/_next/static/chunks/webpack-90eb48aaae077c0b.js" defer=""></script><script src="/_next/static/chunks/framework-f66176bb897dc684.js" defer=""></script><script src="/_next/static/chunks/main-8bd8bbdd9d4dd757.js" def
| Help, NCP:
| HTTP/1.1 400 Bad Request
|_ Connection: close
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.94SVN%I=7%D=8/8%Time=66B4F721%P=x86_64-pc-linux-gnu%r(
SF:GetRequest,3494,"HTTP/1\.1\x20200\x20OK\r\nVary:\x20RSC,\x20Next-Router
SF:-State-Tree,\x20Next-Router-Prefetch,\x20Accept-Encoding\r\nx-nextjs-ca
SF:che:\x20HIT\r\nX-Powered-By:\x20Next\.js\r\nCache-Control:\x20s-maxage=
SF:31536000,\x20stale-while-revalidate\r\nETag:\x20\"d9xxu2eeotq1r\"\r\nCo
SF:ntent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x2033775\
SF:r\nDate:\x20Thu,\x2008\x20Aug\x202024\x2016:46:39\x20GMT\r\nConnection:
SF:\x20close\r\n\r\n<!DOCTYPE\x20html><html\x20lang=\"en\"><head><meta\x20
SF:charSet=\"utf-8\"/><meta\x20name=\"viewport\"\x20content=\"width=device
SF:-width,\x20initial-scale=1\"/><link\x20rel=\"preload\"\x20href=\"/_next
SF:/static/media/204a8b9dc791f619-s\.p\.woff2\"\x20as=\"font\"\x20crossori
SF:gin=\"\"\x20type=\"font/woff2\"/><link\x20rel=\"stylesheet\"\x20href=\"
SF:/_next/static/css/c995da64e387b0cf\.css\"\x20data-precedence=\"next\"/>
SF:<link\x20rel=\"preload\"\x20as=\"script\"\x20fetchPriority=\"low\"\x20h
SF:ref=\"/_next/static/chunks/webpack-90eb48aaae077c0b\.js\"/><script\x20s
SF:rc=\"/_next/static/chunks/fd9d1056-8d42db6c53771e4c\.js\"\x20async=\"\"
SF:></script><script\x20src=\"/_next/static/chunk")%r(Help,2F,"HTTP/1\.1\x
SF:20400\x20Bad\x20Request\r\nConnection:\x20close\r\n\r\n")%r(NCP,2F,"HTT
SF:P/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\n\r\n")%r(HTT
SF:POptions,93A,"HTTP/1\.1\x20405\x20Method\x20Not\x20Allowed\r\nVary:\x20
SF:RSC,\x20Next-Router-State-Tree,\x20Next-Router-Prefetch,\x20Accept-Enco
SF:ding\r\nAllow:\x20GET\r\nAllow:\x20HEAD\r\nCache-Control:\x20no-cache,\
SF:x20no-store,\x20max-age=0,\x20must-revalidate\r\nX-Powered-By:\x20Next\
SF:.js\r\nETag:\x20\"p7kg95thm01jl\"\r\nContent-Type:\x20text/html;\x20cha
SF:rset=utf-8\r\nContent-Length:\x202001\r\nDate:\x20Thu,\x2008\x20Aug\x20
SF:2024\x2016:46:41\x20GMT\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20htm
SF:l><html><head><meta\x20charSet=\"utf-8\"/><meta\x20name=\"viewport\"\x2
SF:0content=\"width=device-width\"/><title>405:\x20Method\x20Not\x20Allowe
SF:d</title><meta\x20name=\"next-head-count\"\x20content=\"3\"/><noscript\
SF:x20data-n-css=\"\"></noscript><script\x20defer=\"\"\x20nomodule=\"\"\x2
SF:0src=\"/_next/static/chunks/polyfills-78c92fac7aa8fdd8\.js\"></script><
SF:script\x20src=\"/_next/static/chunks/webpack-90eb48aaae077c0b\.js\"\x20
SF:defer=\"\"></script><script\x20src=\"/_next/static/chunks/framework-f66
SF:176bb897dc684\.js\"\x20defer=\"\"></script><script\x20src=\"/_next/stat
SF:ic/chunks/main-8bd8bbdd9d4dd757\.js\"\x20def");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Aug 8 19:50:00 2024 -- 1 IP address (1 host up) scanned in 70.01 seconds

We cannot begin by enumerating SSH since it means we either need to exploit a CVE if an older version of SSH was running or some weak credentials (though we need a valid username for this attack). My focus shifted to enumerating the web application running on port 3000. on open the web application we get a standard web application talking about

The basic enumeration step that i usually take is performing a directory brute forcing. Most time it yield sensitive result that allows for for further exploitation of the web application. To perform the enumeration step i used gobuster and the command

gobuster dir  -u http://10.14.0.43:3000/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-
words.txt

While gobuster was running i decided to register for a user on the application.

Registering a user using the below details

We get s successful registration but something looks interesting. The role is returned in the response.

My first though was this might be an avenue for an attack and i decided to first test for mass assignment vulnerability on the role parameter that was returned in the HTTP response. If successful this could have led to privilege escalation on the application(from user to admin privileges).

I sent the request to repeater to enable me to add the role parameter to the request which is to be sent to the backend.

Mass assignment failed because the from the response we see that we still only have user roles.

Logging in with the credentials we created initially we go back to the defcon page where there’s nothing interesting

Looking back at the gobuster we see that there’s an endpoint called /logs

Navigating to /logs we see some interesting information one of them is an administrator’s token

Editing the cookie using inspect tab on chromium to the new admin cookie that was gotten from the logs

And navigating to the dashboard we get the admin dashboard

In the admin dashboard we can upload an xml file with a list of user

I created a simple XML file which contained the root element and user element

I uploaded the XML file and intercepted the request using the repeater tab

Uploading the XML we get an error that gives us an example template which we can use

i copied the template and magically we get code execution

Am still trying to understand the login because for XXE attack mostly it’s used to retrieve files and also to perform Server side request forgery attacks

This made to become a bit surprised when the attack was used to get remote code execution

Unless am missing something which i’d really love you guys to comment in the comments section

Anyway checking the privilege the server is running with we notice that we are root user

We can read both the user and the root flag on the system

For the user flag we get the user name from passwd file.

The user is called kaizen. Looking at the home directory we have the user flag.

Lastly we can get the root flag

And the box is pretty much done. I’d really appreciate comment on how the XXE comes together to getting remote code execution. If you liked the walkthough clap for me and follow me so that you don’t miss any upcoming walkthrough.