dookcorp!… BNE0x09 CTF

Recently I was privileged to be a tester for a new CTF created by @dookwit for the Sectalks Brisbane meetups. This write-up will be a little long in the tooth for seasoned CTF folk, however my goal is to write this for a beginner audience in order to share entry level enumeration techniques and general tool usage.

Description:

Hi fellow SecTalkers! Welcome to my first SecTalks CTF....dookcorp!

This is a Boot2Root(Kinda) which also has a Jeopardy style too (So lots of flags to submit to a scoreboard).

CTF Level (Beginner-Medium)
===========================
Always hard to gauge...i think some people will smash through it fairly quickly.
But the idea is to learn something, so hopefully some people will learn some new tricks.

VM Setup
========
Theres 2 OVA's (Server and Desktop)
They were both built in VirtualBox (so no clue if it'll work nicely on VMWare)
They both have static IP addresses in the 192.168.56.0/24 range (VirtualBox default Host only network)
Import em...make sure the networks are sorted, turn em on, and confirm you can see/find their IP addresses
Start hacking!
Note - Err...there appears to be a slight delay in the web server starting up. Give it upto 5mins just incase....opps...spoiler..theres a web server ;)

Flags
=====
All flags are random MD5 hashes and are in the format "flag{abcdef1234567890}".
There are a total of 15 flags to find.

Let’s get started! First up, find the IP addresses of our guest VMs ‘Server’ and ‘Desktop’…..

… and take a look at what services are listening.

‘mailserver.dookcorp.awesome’.. I think it’s safe to assume that 192.168.56.50 is our server.

Personally I always like to start with the low hanging fruit, which, in this case, is port 80. Let’s take a look.

Flag 1

Selection_003

Nothing too obvious there.. so let’s take a look at the source code.

Voila.. Flag1 straight up and that gets us points on the board!

Flag 2

Still working with our low hanging fruit, the web service, let’s try to enumerate (fuzz) any other directories or files which may exist. Personal tool of choice, OJ’s Gobuster.

Great! A directory and a file to look at. Let’s take a look at the robots.txt file to discover any other files or directories which may exist.

Sweet! Flag2 found.

Flag 3

What does the /company directory give us?

Nice.. another flag! We’re on a good roll!

Flag 4

We don’t need to be told twice regarding where to look for Flag4! Let’s take a look!

There are a couple of interesting things to look at here. Firstly, there’s a cookie attribute called "accesscode", and also a hint saying that our accesscode was incorrect, we need to be 1337!

The "accesscode" token looks to be MD5 to me. Let’s create an MD5 hash of the user string 1337 and see how the application responds.

As you may have noticed by now, I’m a big fan of using the CLI when I can.

BAM! Another flag. If you’re not a fan of using the CLI, you could use tools such as BurpSuite, TamperData, or the developer tools of your browser to get the same result. Each to their own.

Flag 5

The hint for Flag 5 is as follows:

Brute force frank on the Desktop (This is the only brute force challenge)

Once you have the password you CAN logon to the Desktop computer through the GUI

Fair enough.. let’s brute force our way onto the Desktop as ‘frank’. Looking back at our enumeration of open ports, we see that we have ports 22, 25, 80, and 143 listening. Let’s pick on the SSH port, 22.

Too easy. Let’s login via SSH!

Concatenating Flag5.txt gives us the flag.

Flag 6

Our hint for Flag 6 is “MessageBoard”. In Flag3 we had a mention of a messageboard:

Let’s take a look at the messageboard, this time in a browser just to mix it up a little bit.

Selection_004

The first thing I always try is a username of ‘admin’ with a password of ‘admin’, followed by some simple XSS and SQLi tests; none of which worked with quick check.

Did you see the MyFireFoxProfileBackup.zip file in frank’s home directory? Did you see the hint from Flag3 saying “it’s probably best if you save your login details in Firefox”? Let’s grab that and take a look to see if he’s saved passwords.

Looks promising! Let’s search for credentials with Unode’s Firefox Decrypt tool.

Voila! Let’s test the creds on the messageboard.

Selection_005

Flag 6 complete!

Flag 7

The hint for Flag7 is “Secure Messageboard”, and the message board from Flag6 hints that the URL has been emailed to us.

"Messageboard

OK guys, some news. As this portal isn't that secure, we've created a new secret one. You don't need to login but the url is private so i've emailed it to you, hope you haven't deleted it!

If you have come see me and i'll find the email from my Sent Items (i check my email pretty regularly).

On an unrelated note, so you can do your job better i've given you access to some tools on the Desktop machine.

The tools are: ls, mkdir, WireShark and spider solitaire."

Let’s log on to the desktop and check frank’s email. Starting up Thunderbird indicates that frank doesn’t have email setup. The hint above let us know that dook checks his email regularly, and we have access to WireShark on the desktop, so let’s see if we can see any traffic.

Selection_006

After a short while we see dook checking his mail. Let’s follow the TCP stream to see if we can grab any creds.

Selection_007

BAM! We configure Thunderbird to use dook’s credentials.

Selection_008

In the inbox we see an email from frank to dook, with the subject of “URL”.

Selection_009

Looking in the Sent items we can see the email from dook to frank with the SecureMessageBoard URL.

Selection_010

Let’s browse to this location.

Selection_011

Flag7 is ours!

Flag 8

First things first.. do we have an XSS?

Selection_012

Our test script is accepted, and we are redirected to the Secure Messageboard with our successful XSS test executed.

Selection_013

One of the messages give us the hint that dook logs in constantly to check the Secure Messageboard.

Name: dook
Message:Oh...and dont be a dick! I monitor this page constantly.

Let’s create a service which will capture dook’s session cookie. If all works out well, we should be able to replay the cookie and presumably log on as an admin.

Now.. let’s create some type of listener. You could use apache for this and just check your access logs, or, you could use a simple python module which is my preference.

And our XSS..

Selection_03my(002)

The message is accepted, and once the page reloads we can see our PHPSESSID being passed to our listener. All we need to do now is wait for dook to log on to check the messageboard, and we should be able to get his PHPSESSID cookie session for a replay attack.

Let’s revisit the page with dook’s PHP session ID.

Voila. Flag8 solved.

Flag 9

As per the hint in Flag8, the next step is file upload. Let’s try the obvious first by attempting to upload a PHP reverse shell.

Selection_04051608:58:12

It looks like our upload was successful, however the PHP extension has been recognised as potentially malicious. Taking a look at the /uploads directory we can see our shell has been uploaded, sans extension.

Selection_04051608:58:44

So what happens if we simply add another .php extension to our original shell, and upload that?

Selection_04051609:02:16

Success! Our shell uploads correctly. Let’s setup a listener…

… and execute our shell.

We navigate back to the upload web application and grab our Flag.

Flag 10

It’s time for some privilege escalation. Let’s take a look at what distro we’re working with.

Ubuntu 15.04. Let’s check if there is anything obvious listed on exploit-db.

overlayfs Local Root exploit… that sounds promising to me. Time to download the exploit, compile it, and attempt to run it.

BAM! Exploit success and we are now root!

Let’s look for some flags.

Nice.. a couple of flags there. Let’s take a look at Flag10 first.

Thank you very much.. Flag10 captured.

Flag 11

Thanks to the enumeration in Flag10, Flag11 is pretty straight forward.

Flag 12

The hint for Flag 12 is ‘dook has been working on an “alternate” web server on the Desktop’. Let’s jump back to the Desktop machine and see what services are in a listening state.

Selection_04051609:45:05

Port 8080 looks interesting however it’s not directly accessible to us from the outside. We could simply telnet to the port on Desktop, however I’d like to show you a sexier way to attack this flag. What we are going to do is present Desktop’s local port 8080 to port 8080 on our attacking host via an SSH reverse tunnel.

First, we setup the reverse tunnel.

Now let’s take a look

As easy as that.. Flag12 is ours.

Flag 13

“Frank emailed dook with this flags location.”… that’s our clue. Do you recall in Flag7 seeing an email from Frank to dook?

Selection_009

Let’s take a look at @dookcorp on twitter shall we.

Selection_04051609:58:42

Thanks for Flag13 @dookcorp.

Flag 14

Flag14 is a bonus flag made up of the first 2 digits of flags 1 through to 10. No need for me to got through this one with you.

Flag 15

The final flag! Our hint: “Frank has this flag on the server”.

Let’s jump back onto the server and see what we can find.

First up, does frank exist on the server?

He certainly does.. let’s take a look at his home directory.

Nothing obvious straight off the bat. Let’s take a look at the hidden files.

Cheers for Flag15 frank!

THE END

Wow! What a CTF!

For the new players in this space, I hope my overly explanatory way of writing up this CTF has helped you in some way and you have been able to learn something new.

Dook (@dookwit)!…thank you for taking the time to create such an awesome CTF, and cheers for letting me be your test bunny. Owe you a beer some time.

A big shout out to Sectalks Brisbane and all the sponsors that make each meet-up possible. If you haven’t been involved with SecTalks at this stage, do yourself a favour and come along to the next meet-up.

Until next time, tight lines and happy hacking.