CTFs | 404CTF_2023 | Cloud | Harpagon et le magot

Harpagon et le magot

For this challenge, we are given an ssh connection to a server. The hint we are given is that Harpagon n'est pas très doué et n'a jamais réussi à utiliser sa cassette.. Which means that we need to do something with a cassette.

What is Helm

To reach the flag, we need to use Helm.

Helm is a powerful package manager for Kubernetes that facilitates the deployment and management of applications and services. It simplifies the process of installing, upgrading, and managing complex applications on Kubernetes clusters. With Helm, you can package your applications into charts, which contain all the necessary configurations, dependencies, and Kubernetes manifests. These charts can be easily shared and reused, fostering collaboration within the Kubernetes community. Helm also enables effective configuration management, allowing you to customize deployments for different environments. It provides a straightforward way to update or roll back applications, ensuring smooth updates and minimizing downtime. Overall, Helm enhances productivity, promotes consistency, and streamlines application management on Kubernetes.

Note that you could have guessed the use of Helm because when you connect to the server, you see information links to K3s, Kubectl and Helm.

Basic Enumeration

We now try some basic Helm command like helm list. This command allows us to get all the available charts:

As we can see, and could have guessed, there is one chart named cassette, as in the hint. We can get more information about it by running the command helm history cassette:

The helm history command provides information about the revision history of a release in Helm. When you deploy or upgrade a chart, Helm creates a new revision of that release.

Exploitation

We can see that there are two revisions for the release cassette. The first one is superseded and the second one is deployed. A release is marked as superseded when a new revision of the release is deployed, effectively replacing the previous revision. This typically happens when you upgrade or roll back a release. The superseded revision is still stored in the release history, allowing you to roll back to it if needed.A release is marked as deployed when it represents the currently active or running revision of the release. It indicates that this particular revision is the one currently in use.

So as stated in the definition, we can roll back to the superseded revision. To do so, run the command helm rollback cassette 1:

As shown in the above screenshot, the message Rollback was a success! Happy Helming! shows us that everything went well. We can now get information about the register using the command helm get all cassette:

The command gives us a lot of result, but we got the flag in the adminToken. If you went from the bottom of the output, you may have encountered the base64 encoded version of the flag fWVtMXRjaXZfN3MzX2wxXzduMGRfdUAzbGZfMV83czNfM2MxcjR2QGx7RlRDNDA0 but using the echo "fWVtMXRjaXZfN3MzX2wxXzduMGRfdUAzbGZfMV83czNfM2MxcjR2QGx7RlRDNDA0" | base64 -d gives us the same result as the previous decoded flag. We just need to use the rev tool on the terminal to recover the flag:

The flag is 404CTF{l@v4r1c3_3s7_1_fl3@u_d0n7_1l_3s7_vict1me}.