## HACKvent 2020 - Day 21

01-01-2021 - 1 minute, 49 seconds -

Challenge - Threatened Cat

You can feed this cat with many different things, but only a certain kind of file can endanger the cat.

Do you find that kind of files? And if yes, can you use it to disclose the flag? Ahhh, by the way: The cat likes to hide its stash in /usr/bin/catnip.txt.

Note: The cat is currently in hibernation and will take a few seconds to wake up.

## Solution

When you start the docker container of today's challenge and visit the website, an ascii cat awaits you which you can feed with all kinds of files. The cat starts to meow really loud after a while - a real jumpscare if you don't expect it.

If you upload a file to the cat, it tells you what kind of file it is, where it stored the file on the server (/usr/local/uploads/filename.extension) and lists the already uploaded files and lets you download them again.

Looking for starting points, I found the 404 page, which told me that the server is running on Apache Tomcat/9.0.34. So this is the Cat that is really the issue.

A quick search for the version tells us that in version 9.0.35 (the next update) a remote code execution vulnerability has been fixed (CVE-2020-9484). Jackpot.

The vulnerability only works if Tomcat is configured accordingly. If you then send a path to the server instead of the session cookie, the server tries to read a session from a file there. If you can put a preperated session file on the server (cat upload), you can exploit vulnerabilities in the deseriellizer and execute code on the server. Fortunately, there are already many prepared examples available for this. So we prepare a session file which copies us the catnip.txt to the folder we have access to.

java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections2 'cp /usr/bin/catnip.txt /usr/local/uploads/catnip.txt' > badSession.session

After uploading the badSession.session file,we now execute the request using another tool, that will execute the exploit. We could have made the request with a simple curl command and set the cookie accordingly, but the tool was already available due to previous research.

./run.sh site.lst ../../../../../usr/local/uploads/badSession

HV20{!D3s3ri4liz4t10n_rulz!}