According to the logs it appears I’ve had some repeat visitors checking in on the conclusion of my series of posts describing the flags I found during the DerbyConCTF 4.0 competition. It’s been a hectic week but I’ll get around to knocking out a few more of those posts soon enough. Standby.
Archives For October 2014
I say “all flags” with some reservation, but here is what I found:
My nmap scan revealed there was a host with Telnet open, so I cruised over there to see what was going on. Sure enough, it was a Cisco router with a flag in the banner:
I had this flag recorded on my spreadsheet but I failed to capture the text to point it out. According to my notes, I found
MudFlaps in the page source of http://10.10.146.187/Default.aspx Page source. This flag was worth 80 points.
That was obviously a right-click with the mouse and “View Page Source” and it was either obvious or I scanned for it. There could have been more flags in there that I didn’t see. No doubt there were given the total number of flags in the contest and considering the ones I missed yesterday that I blogged about.
I found a few more flags on this same host that I’ll blog about next week.
When I captured files during this year’s DerbyCon CTF, I intended on holding onto them so I could blog about the flags that I found. I expected there might still be hidden flags waiting for me to discover — and that I would blog about them. I just didn’t expect some of them to be so obvious to me now and so easily overlooked then.
Perhaps that’s more proof of the importance of being on a team where you have many eyes reviewing the same material. Maybe it’s also proof that I’ve got a long way to go before I’d even consider myself a junior penetration tester. /shrug
While I was writing yesterday’s blog, I was reviewing screenshots I had taken so I could write a post about the flags I found through SQL injection and there was a flag, front and center. It couldn’t have been more obvious to me now and yet not obvious at all on game-day:
Right there in the title: The Fappening 2: Shell Shock f l-ag is
Just as I had found with previous flags, MayUrG0atsBeFr33 and Goats34Milk, I found the flag ML5jVuOCTvMhaG70p0BL by using grep to search through files I had already downloaded:
No special sauce here, just another easy flag worth 20 points. The file I found it in, 10_25_2_165_rexpzo.xml was somewhat interesting. It appeared to be an XML output file from a Nessus scan? I’m not sure. Either way, I probably spent too much time looking through this file than was really necessary. It didn’t occur to me until NOW that the numbers in the filename might have been an IP address worth scanning: 10.25.2.165. I guess I’ll never know.
Following the same technique I used in the previous flag, I identified 10.10.146.74 as running FTP and allowing an anonymous login. Since I don’t know any slick script-fu to mirror an ftp server via the command line, I simply used FileZilla to download the entire contents of the FTP server to my local computer for inspection.
I grepped through all these files to find the flag ‘Goats34Milk’ in AUTOEXEC.BAT, worth 20 points.
There was a lot going on with the files on this FTP server. For starters, there was source code spread throughout the server with copious amounts of the word ‘flag’ in the code. I suspect there might have possibly been another flag hidden in all this fodder, but it would have taken someone more dedicated than I to page through all these results to find one. I started working in that direction but eventually gave up in search for easier flags.
I knew the approach to this CTF would be different from those in the past based on the instructions.
In years past, the directions instructed you on which devices you were NOT to touch and which devices were the targets. This year, participants were simply directed which devices were off-limits. These off-limit devices were identified either by subnet or IP Address.
The first thing I did was copy the contents of these addresses/subnets into a file I would use as my “exclusion” file during any network or vulnerability scans I would run. This was the contents of my “exclude.txt” file:
172.16.0.0/12 10.10.148.0/24 10.10.146.1 10.10.146.62 10.10.146.100 10.10.150.9 10.10.160.9
From here, I kicked off a series of nmap scans. I started a rather large one using the command:
nmap -sn --excludefile /root/Desktop/CTF/exclude.txt -oG /root/Desktop/CTF/nmap_10.10.0.0.txt 10.10.0.0/16
But between the network latency/downtime, it became pretty apparent that it would take forever, if at all, for this scan to finish — so I broke it up into smaller chunks.
Removing the negative-point component to CTF flags turned out to be both a blessing and a curse.
In the past, flags were (mostly) obvious and always followed a “flag=” tag. That made them easy to find with some REGEX magic. But it also sucked to get docked points if you accidentally entered the same flag twice, left some whitespace in your submission or otherwise submitted a non-flag.
Along with no more negative point flags came some unexpected changes. Such as not-so-obvious flags. Flags that were tagged as flags, but not in the expected format. Think “Fl.4gISwhatever,” which was a big departure from “flag=”. That also made flags a little harder to recognize for what they were if you weren’t paying attention.
The first thing I did upon registering as a participant for CTF was throw a few flags at the scoreboard to see if any stuck. Surprisingly (or not), password was worth 20 points. I tried a few more potential flags like “DerbyCon” and the like since I had to wait 60 seconds in-between submissions.
In between everything else I had going on this past weekend, I managed a few hours to drop in on Maker Faire Atlanta in Decatur on Saturday to help the Atlanta Hams group teach kids how to build a basic circuit. The weather was perfect for it and there was quite a crowd of enthusiastic Makers hawking their projects. I figured I helped at least two-dozen kids (and a few adults) build their very first circuit.
It wasn’t all kids, though. At one point, I had three very enthralled moms diligently working to build their own blinky while their disinterested kids begged to move on to the next exhibit. 🙂
We selected the Light Sensing Mini Breadboard Blinky which are cheap and easy to build. At the end of the build, the kids got to take their newly created circuit home with them. I don’t recall the final number, but I believe we helped around 250 future Makers build this circuit. I hope many of these kids went home excited about electronics!