I knew the approach to this CTF would be different from those in the past based on the instructions.
In years past, the directions instructed you on which devices you were NOT to touch and which devices were the targets. This year, participants were simply directed which devices were off-limits. These off-limit devices were identified either by subnet or IP Address.
The first thing I did was copy the contents of these addresses/subnets into a file I would use as my “exclusion” file during any network or vulnerability scans I would run. This was the contents of my “exclude.txt” file:
172.16.0.0/12 10.10.148.0/24 10.10.146.1 10.10.146.62 10.10.146.100 10.10.150.9 10.10.160.9
From here, I kicked off a series of nmap scans. I started a rather large one using the command:
nmap -sn --excludefile /root/Desktop/CTF/exclude.txt -oG /root/Desktop/CTF/nmap_10.10.0.0.txt 10.10.0.0/16
But between the network latency/downtime, it became pretty apparent that it would take forever, if at all, for this scan to finish — so I broke it up into smaller chunks.
I decided to target the 10.10.146.0/24 subnet first for basic services that I was confident would be running and attempt to get at the “easier” stuff first:
nmap -n -p21 -T5 --excludefile /root/Desktop/CTF/exclude.txt -oN /root/Desktop/CTF/nmap_10.10.146.0.ftp --open 10.10.146.0/24 nmap -n -p80 -T5 --excludefile /root/Desktop/CTF/exclude.txt -oN /root/Desktop/CTF/nmap_10.10.146.0.http --open 10.10.146.0/24 nmap -n -p443 -T5 --excludefile /root/Desktop/CTF/exclude.txt -oN /root/Desktop/CTF/nmap_10.10.146.0.https --open 10.10.146.0/24 nmap -n -p22 -T5 --excludefile /root/Desktop/CTF/exclude.txt -oN /root/Desktop/CTF/nmap_10.10.146.0.ssh --open 10.10.146.0/24 nmap -n -p23 -T5 --excludefile /root/Desktop/CTF/exclude.txt -oN /root/Desktop/CTF/nmap_10.10.146.0.telnet --open 10.10.146.0/24
Later I scanned the 10.10.147.0/24 subnet, but only came up with one system.
nmap -Pn -n -sV -T5 --excludefile /root/Desktop/CTF/exclude.txt -oG /root/Desktop/CTF/10.10.147.2_nmap.txt --open 10.10.147.2
Any subsequent scans of the entire subnets where there were off-limit devices (10.10.150.0, 10.10.160.0 or piratically everything between 10.10.146.0-10.10.160.0) didn’t turn up any live hosts.
I won’t dissect those findings in this blog post, but if you’re interested, you can get a copy of the output from these scans if you roll back to a previous blog post.
After I had identified the devices running http/https, I kicked off a ‘wget’ to mirror the contents of those systems on my local computer:
wget -m http://10.10.146.67
When that was completed, I used ‘grep’ to search through all the files for an instance of ‘flag’ (not case-sensitive):
grep --color -r -i "flag" .
I believe those commands are correct, working off my poor memory here. Given what I said yesterday about the flags not being obvious, you can see the flaw in my methodology here. What if ‘flag’ is mangled with additional characters? Well, I would return to these files later to step through them manually when I was bored, but this search turned up a flag in the html code which was good for 20 points:
Also, based on the contents of the BBoard.html file on this server, I suspect there was more going on here. The comment
<script>alert('xss');</script> lead me to believe there might be some cross-site scripting vulnerability going on here, but XSS is out of my skilset, so I was unable to confirm. There was also the curious string
ZmxhZzogMVNoZWVwODI2SHVnZ2VyMjMKVGhlcmUgc3RpbGwgbG9naW4gaXNz\ndWVzLCBzZWU6Cq6kqa/y6P2cuq2tgL2vr626/v38u/3/6KCprOi8p+i/ramj\nrabou6CprKe/6LituqW7\n that I was unable to identify. I’m still not certain what that might have been, but the frequent ‘\n’ in the text left me wondering if those were newlines or not.
Anyone care to share any hints or otherwise help me out with this one?