This repository stores source code, deployment scripts are used for Challenge Web 500 - WhiteHat Grand Prix 2017 (a hacking contest).
The challenge has two parts:
- Part 1: Exploit a RCE flaw in a Web app written in Perl
- Part 2: After getting RCE, read source codes and break a crypto scheme written in Python (fake signature)
sudo chmod +x ./install.sh
sudo ./install.shIn the competition, the organizer told me that they found that one team got the flag in an unexpected way: Privilege escalation.
Right after that, I discovered the main problem was CVE-2017-11610 in supervisor. Supervisor is a process control system that I used to manage components of the challenge, so they can be rebooted automatically in case they are killed or are crashed. There are several causes for this flaw:
- Part 1 of this challenge allows remote code execution, then can access OS as a normal user
- The config file of supervisor can be read by anyone (permission 755) leading to obtaining credentials of supervisor Web Manager
- The installed supervisor version is not the latest version. This supervisor is installed by command
sudo apt-get install supervisorbut I got version 3.2 (affected version), while the latest version is 3.3.3. You can test in Ubuntu 16.04.3 LTS
- Prevent users from viewing other users' processes
- Prevent users from reading configuration files
- Re-install supervisor by
pip2 install supervisor