Linux RCE hack challenge

admin

Hello folks, hope everyone is safe and well in these trying Covid times.

Our cybersecurity partner Elytron is offering a challenge to perform RCE with a prize money of USD5,000.00 for anyone that can execute commands or code on our test machine. Everyone is welcomed to try and we will announce any successful attempts within this article.

Details of the RCE challenge are as below.

Thank you and we wish you good luck.

On behalf of Elytron and Elytron Asia Pacific.

RCE Challenge

The first participant to EXECUTE COMMANDS in the system – purposefully exposed and vulnerable.

Target:

The target is a server running an Apache Tomcat with / manager exposed on the internet, with admin permissions released for use (tomcat / s3cret credentials).

URL: http://54.173.209.123:8080/manager/html

From tomcat’s / manager, participants can upload and invoke any webshell / java code they wish. The writing and reading of files on the server are allowed, as well as the creation of sockets in general. The operating system, as well as Tomcat, does not have extra security settings (hardening / security manager), with the exception of the Anti-RCE protection module (which runs at the kernel level). With this, it is possible to carry out any action programmatically via Java – including a server shutdown, file modification, writing keys for access via ssh, etc.

Some webshells were uploaded by participants, here is a list:

WebShell to test sockets:
http://54.173.209.123:8080/request.jsp?url=http://your_url_here

WebShell for browsing files:
http://54.173.209.123:8080/wars/wars.jsp

WebShell for executing commands:
http://54.173.209.123:8080/shell.jsp?cmd=id

Additional information may be requested from the organizers, as well as specific changes to the server – in order to make the testers’ work a little easier.

However, the execution of commands needs to be performed by the tester – without assistance from the internal team (for example, it is not allowed to ask the internal team to execute a script left on the server by the testers).

Lab information:

Static hostname: ip-172-16-100-220.ec2.internal
      Icon name: computer-vm
        Chassis: vm
     Machine ID: ec239da046efe33c7665d4508a7d0a61
        Boot ID: 8a42b1057dc547ad89571bfc13eaa335
 Virtualization: xen

Operating System: Amazon Linux 2
CPE OS Name: cpe: 2.3: o: amazon: amazon_linux: 2
Kernel: Linux 4.14.209-160.339.amzn2.x86_64
Architecture: x86-64

List of successful attempts:

Leave a Reply

Your email address will not be published. Required fields are marked *