DerbyConCTF Flag: Goats34Milk

October 10, 2014 — Leave a comment

Following the same technique I used in the previous flag, I identified 10.10.146.74 as running FTP and allowing an anonymous login.  Since I don’t know any slick script-fu to mirror an ftp server via the command line, I simply used FileZilla to download the entire contents of the FTP server to my local computer for inspection.

You can find those files here.

I grepped through all these files to find the flag ‘Goats34Milk’ in AUTOEXEC.BAT, worth 20 points.

There was a lot going on with the files on this FTP server.  For starters, there was source code spread throughout the server with copious amounts of the word ‘flag’ in the code.  I suspect there might have possibly been another flag hidden in all this fodder, but it would have taken someone more dedicated than I to page through all these results to find one.  I started working in that direction but eventually gave up in search for easier flags.

I noticed there were some peculiar files sprinkled throughout this server.  Files by the same name were binary in one directory while plain text in the other.  I suspected the ones in binary were encrypted, but didn’t know how or how to go about getting at them.

Of course, if the banner for the FTP server were to be believed, there was certainly something going on with the contents of these folders:

230-This is a temporary ftp server, while we finish our migration off DOS
230-platforms. For now transaction documents are still availible at
230-/DRIVE_C/TRNDOCS but these are already being generated by the LINUX
230-backend.
230-
230-DOCS for DCs that have already been upgraded are ciphered with
230-OpenSSL, the utility to obtain the shared password from your
230-credentials is TRNDOCS directory.
230-Use the serer xxx.xxx.xxx.xxx to authenticate, you can manually
230-inspect a TRN document with OpenSSL once you obtain the key.
230-
230-openssl des3 -d -salt -in -k
230-
230 User logged in

I haven’t had a chance to revisit these files to see if there might be anything else going on here, but Chris Higgins had an excellent write-up on how he was able to reverse-engineer those binaries for a cool 450 points.

As for the source code and other executables there, I don’t know if there is anything else to be had, but I’ll eventually go back and look through them to see if anything else was missed.

Aaron Melton

Posts

No Comments

Be the first to start the conversation.

Leave a Reply

Text formatting is available via select HTML.

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> 

*