Thursday, 5 April 2012

Bsides London CTF Challenge 6

Not posted yet this year, so I thought I would put together a walkthrough of a Capture The Flag challenge I did which was put together by KPMG for Bsides London available here:
http://www.securitybsides.org.uk/challenge62012.html

I have to say, the guys at KPMG have put a lot of thought into this one, it had a bit of everything that helped keep the interest up, and it certainly wasn't straight forward.

So... here goes....


Flag1:


To start with, the only information given was that someone called n3ro had recently started using google groups. A quick search for n3ro through google groups turned up this page:
http://groups.google.com/group/n3ro-tech-talk/msg/e8c3ed172eb21d2b?hl=en&
If you scroll down to the end of the garbled text you will see it ends with ==. This is a clue that this message has been encoded with Base64.
I copied this into Burpsuite's Decoder to reveal a hidden URL pointing to a download:
http://finding-n3ro.net/01efaa15a2b90d65fefa472cd00f6a4f/N3rosVM.zip
this was flag 1 complete - an easy start.


Flag2:

Once downloaded, this gave links to a 4 part zip file. These had to be knitted together before they could be extracted properly. I tried and failed with a few programs before trying 7zip which worked fine. This zip file then gave me a Linux based VM image along with another clue:




Once I had the VM powered up I had to use an ARP scan to find it, as it didn't have any ports open from the beginning. The clue suggested that we need to open up port 80 by using a port knocking technique. I tried a program called knockknock first but didn't have any luck, so I went with knockd :
apt-get install knockd then ran ./knock <ipaddress> 79:tcp 123:tcp etc. A quick check with nmap showed port 80 was now open on the target.


Flag3

This presented the following page:


This page screamed SQLi and sure enough the id parameter was vulnerable. A valid id was given (1) and a further hint appeared. I tried this out in sqlmap with the following to grab the file successfully:

 ./sqlmap.py -u http://192.168.0.14/reshow.php?id=1 --file-read=/usr/share/mysql/n3ro.part4

 



Flag4

Okay so now we had credentials to log into the VM itself - allbeit with limited privileges.
The task was to get root, and i tried a few different ways to do this - including mempodipper, the privilege escalation script by pentestmonkey, various cron jobs running with weak permissions, and  files with the suid bit set. Then I realised that the file I had been looking for was right under my nose in the /etc directory:




As you can see in the pic, this script suggests it runs automatically every 1 minute and the permissions show it not only runs as root, but I have write access to it ;)
This meant I could now write to this file and get it to do anything that root can. I decided to add myself to the /etc/sudoers file by editing this script to include the following line:
echo "n3ro ALL= NOPASSWD: ALL">/etc/sudoers
After a short wait, I could now use sudo su to become root and gain access to the file in the /root directory with details of the next flag.

Flag5

For this one, I was told that I should start up an Android emulator and try and bypass the authentication to the KPMG app.




At first I thought that this one would beat me, as I have never tried hacking into an Android device.  The instructions for this flag gave a hint that i should try and use the included Android Debug Bridge. This seemed to provide a way to connect to the device to download files amongst other things. A quick look at the help file showed that i can get shell on the device with the ./adb shell command. Once I had shell access, I searched around for any files that could contain the code for the app I needed to gain access to. I soon found one:
data/app/com.bsides.hackme-1.apk. The first thing i normally try is the strings command - just in case the information is stored in the clear. I downloaded the file via ADB and used strings to find the instructions for flag 6.

Flag6

This flag involved having to try and extract out n3ro's password from a windows memory dump.
I really enjoyed this one, a quick google gave me the following article explaining how to use a forensic program called volatility to achieve this. Once I had the hash, Ophcrack made easy work of the password to complete the level.

Flag7

I could now unlock the zip file for flag7.  This contained just a pcap file, so I fired up Wireshark to see what it contained. It appeared to show that 5 files had been captured during a HTTP transfer:
part1 part2 part3 part4 part7.c



There are a few ways these can be extracted from the pcap file, firstly you could open it in the excellent NetworkMiner tool, or another way is to use Wireshark itself, by going to file - export - object - http. Looking through the part7.c I could see that it was a C program that used the other 4 files to produce the flag. I used gcc part7.c -o part7 && chmod 755 part7 && ./part7 to get the password for the zip containing flag8.

Flag8

This one I thought was very clever. It contained an mp3 file with a morse code message. At first I went searching around the internet to see if there were any sites I could upload this to, or a program I could download to use with my laptop's microphone maybe. I couldnt find anything, but then had the idea to use my IPhone - after all, "there's an app for everything" right?
And sure enough, I found an app called "morse-it" that worked a treat for this, and gave me the final code to open up the final zip containing the winning picture:







I would like to say thanks to those guys at KPMG for creating a very enjoyable challenge.  I can appreciate the effort that goes into making one of these, so kudos to them.

7 comments:

  1. nicely done, thanks for the write up. I was wondering how long did the challenge take you to complete?

    ReplyDelete
  2. Thanks.
    I spent a couple of evenings on it, with most of the time spent on flag4. I missed the 1min.sh script due to it scrolling off the screen everytime I did an ls.... duh :(

    ReplyDelete
  3. A pity you hadn't completed the bonus challenge.

    ReplyDelete
  4. Yeah afraid reverse engineering is not my thing. Tried a few unpackers and debuggers but gave up on it fairly quickly

    ReplyDelete
  5. anyone else having trouble with the port knock (sigh)? did you use the sequence 79 123 443 53 3389 21 1521 88 22 80? aslo tried 1526 for oracle, and 20 for ftp but no dice?

    ReplyDelete
    Replies
    1. Sorry for the late reply but did you use tcp for all the ports?

      Delete
  6. Bob_The_Junkie21 May 2012 at 15:45

    Nice write up Sean.

    I just found this challenge online and completed it in a few days.

    Like you, I got stuck on part4 for ages (the 1min.sh script turned up in my searches within seconds, but I couldn't find anywhere that referenced it, so I ignored it....doh).

    I also got stuck on Flag8 for longer than I should have, the application I used returned the message all in lowercase, so I spent a while trying variations of that password until I worked out to convert it all to uppercase

    ReplyDelete