Archives For Pursuit of Geeky Stuff

SourceCodeTheft was the next-to-last flag I found.  It was worth 100 points.  Here’s how I found it:

Still working on the 10.10.146.187 host, which had yielded previous flags, I had discovered this additional page on the website: http://10.10.146.187/pmc.aspx

I honestly don’t recall how I had found this page but I suspect an earlier wget to mirror the entire website pulled the file down and I saw it on my local folder and decided to visit it.  It’s a simple website with a single text box for input:

Screenshot from 2014-09-27 17_47_04 Continue Reading…

This is my second time posting this… so please excuse my brevity.

Screenshot from 2014-09-27 17_45_28

At this point in the competition (I use that term loosely), I was hitting the wall on discovering flags.  As I previously disclosed, I had been all over the place and not very methodical in identifying targets and attacking them in some sort of order.  What with all the chasing squirrels and all, I was starting to get weary of finding flags in small spurts.

As a result, I started throwing a few terms into the scoreboard to see what stuck.  While ironic that I didn’t get the obvious flag in the title of this page, I made something up based on the content of the page and it worked.  TheFappening was worth 100 points.

Hey, when you’re behind you’ll take ’em any way you can…

I have two more flags to disclose and I’ll publish those next week.  Have a great weekend!

According to the logs it appears I’ve had some repeat visitors checking in on the conclusion of my series of posts describing the flags I found during the DerbyConCTF 4.0 competition.  It’s been a hectic week but I’ll get around to knocking out a few more of those posts soon enough.  Standby.

I say “all flags” with some reservation, but here is what I found:

My nmap scan revealed there was a host with Telnet open, so I cruised over there to see what was going on.  Sure enough, it was a Cisco router with a flag in the banner:

Screenshot from 2014-10-13 00:30:57 Continue Reading…

I had this flag recorded on my spreadsheet but I failed to capture the text to point it out.  According to my notes, I found MudFlaps in the page source of http://10.10.146.187/Default.aspx Page source.  This flag was worth 80 points.

That was obviously a right-click with the mouse and “View Page Source” and it was either obvious or I scanned for it.  There could have been more flags in there that I didn’t see.  No doubt there were given the total number of flags in the contest and considering the ones I missed yesterday that I blogged about.

I found a few more flags on this same host that I’ll blog about next week.

When I captured files during this year’s DerbyCon CTF, I intended on holding onto them so I could blog about the flags that I found.  I expected there might still be hidden flags waiting for me to discover — and that I would blog about them.  I just didn’t expect some of them to be so obvious to me now and so easily overlooked then.

Perhaps that’s more proof of the importance of being on a team where you have many eyes reviewing the same material.  Maybe it’s also proof that I’ve got a long way to go before I’d even consider myself a junior penetration tester. /shrug

While I was writing yesterday’s blog, I was reviewing screenshots I had taken so I could write a post about the flags I found through SQL injection and there was a flag, front and center.  It couldn’t have been more obvious to me now and yet not obvious at all on game-day:

Screenshot from 2014-09-27 17_45_28

Right there in the title: The Fappening 2: Shell Shock f l-ag is DuckDynasty

Continue Reading…

The 10.10.146.187 host also happened to contain a database (or more, dunno).  That was an easy enough to figure out upon visiting the website:

Screenshot from 2014-10-12 23:47:08Obviously (or maybe not), that meant it was time for some old-fashioned SQL injection.

Continue Reading…

Just as I had found with previous flags, MayUrG0atsBeFr33 and Goats34Milk, I found the flag ML5jVuOCTvMhaG70p0BL by using grep to search through files I had already downloaded:ML5jVuOCTvMhaG70p0BL

No special sauce here, just another easy flag worth 20 points.  The file I found it in, 10_25_2_165_rexpzo.xml was somewhat interesting.  It appeared to be an XML output file from a Nessus scan?  I’m not sure.  Either way, I probably spent too much time looking through this file than was really necessary.  It didn’t occur to me until NOW that the numbers in the filename might have been an IP address worth scanning: 10.25.2.165.  I guess I’ll never know.

Continue Reading…

Following the same technique I used in the previous flag, I identified 10.10.146.74 as running FTP and allowing an anonymous login.  Since I don’t know any slick script-fu to mirror an ftp server via the command line, I simply used FileZilla to download the entire contents of the FTP server to my local computer for inspection.

You can find those files here.

I grepped through all these files to find the flag ‘Goats34Milk’ in AUTOEXEC.BAT, worth 20 points.

There was a lot going on with the files on this FTP server.  For starters, there was source code spread throughout the server with copious amounts of the word ‘flag’ in the code.  I suspect there might have possibly been another flag hidden in all this fodder, but it would have taken someone more dedicated than I to page through all these results to find one.  I started working in that direction but eventually gave up in search for easier flags.

Continue Reading…

I knew the approach to this CTF would be different from those in the past based on the instructions.

In years past, the directions instructed you on which devices you were NOT to touch and which devices were the targets.  This year, participants were simply directed which devices were off-limits.  These off-limit devices were identified either by subnet or IP Address.

The first thing I did was copy the contents of these addresses/subnets into a file I would use as my “exclusion” file during any network or vulnerability scans I would run.  This was the contents of my “exclude.txt” file:

172.16.0.0/12
10.10.148.0/24
10.10.146.1
10.10.146.62
10.10.146.100
10.10.150.9
10.10.160.9

From here, I kicked off a series of nmap scans.  I started a rather large one using the command:

nmap -sn --excludefile /root/Desktop/CTF/exclude.txt -oG /root/Desktop/CTF/nmap_10.10.0.0.txt 10.10.0.0/16

But between the network latency/downtime, it became pretty apparent that it would take forever, if at all, for this scan to finish — so I broke it up into smaller chunks.

Continue Reading…