Tag: ctf

WriteUp: Tartarus

This relatively easy ctf challenge can be found on the site TryHackMe.

This challenge did take me a little while to figure due to overlooking a key step but it is definitely a good hacking challenge for beginners. Let’s dive in.

Part 1

Once you join the room and deploy the machine, scan it for any open ports. In this example, I use nmap.
nmap -sS -sV <ip_address>

FTP, SSH, and HTTP are open for us. We will check FTP first to see if we can login anonymously. When asked for a password, simply press the ENTER key.

And we got in! Now for a little snooping. Using the ls command shows us one file call “test.txt”. Reading it gives us nothing. Using ls -a on the other hand reveals a weird directory. Enter that directory and rerun ls -a. Another weird directory. Keep going until you run into an actual file. After downloading the file, read it and make note of the path you see.

Before going to our newfound path, let’s explore our HTML port. If we go to the default webpage, we’re greeted with the default test page from Apache. Checking source code reveals nothing new. We will use a directory enumeration tool to find if any other files or folders exist. In this example, I use dirsearch.
python3 dirsearch -u <url> -e html
(In the screenshot, I am using an alias to run the command.)

The search gives us a status code 200 for “robots.txt”. Visit that page and you’ll see another path we can explore. Navigate to that path. There are two files available. One looks like a bunch of passwords and the other has possible usernames. Copy the files manually or with wget.
wget <url>

After copying those two files to your computer, you can try exploring more from our current angle but there is nothing else. So, let’s go to that path we found in the FTP file.

You’re greeted with a login page. We can attempt to guess the credentials but there is a tool for that. We will use Hydra to check for credentials using the two files we just copied over to our computer. Hydra should come default with Kali Linux but if you are an intrepid soul using a different Linux flavor, you can install it from here.

To use Hydra against a webpage login, you need three things: usernames, passwords, and a login error message. Get the login error message by entering a bogus credential on the webpage.

We will get the error message “Incorrect username!”. Now we try our attack.
hydra -L <username_file> -P <password_file> <domain/ip> http-form-post "<login page>:username=^USER^&password=^PASS^:Incorrect username!"

There are a lot of results for just one user! We need to narrow it down.

Try one of the combinations on the login page. More than likely, you’ll get a new error message, “Incorrect password!”. Let’s rerun Hydra but with a couple of changes.
hydra -l <username> -P <password_file> <domain/ip> http-form-post "<login page>:username=^USER^&password=^PASS^:Incorrect password!"

Bingo! We have valid credentials! Login in and there is an upload page ready to be exploited. But what to upload?

Ultimately, we want to get on the target machine to get those flags so let’s upload something that will give us a reverse shell. Pentestmonkey has an excellent file called “php-reverse-shell.php” that will do just that! Download it and edit it so that it uses your computer’s ip address and the port you want to listen to.

Upload the edited version. You’ll see that the upload was successful but trying to navigate to your uploaded file gives you an error. What gives?!

We assume the file is definitely uploaded so we will run our directory searching tool again to look for other folders.

In doing so, we discover an “images” folder. This path holds our uploaded content. Before opening the file, go back to a terminal and prepare your end of the reverse shell connection using netcat.
nc -nlvp <port>

Now go to your uploaded file from the browser and you should have a shell prompt on the terminal.

Part 2

It takes a while to get to this part but if you have been keeping notes of previous findings, getting back here is very simple. Now let’s get some flags!

Find out who are are logged in as with whoami and which directory you are in with pwd. Then use the find command to look for the first flag. Of course, you can skip figuring out who and where you are but it’s good to get a lay of the land first.
find / -name "user.txt" 2>/dev/null

First flag found! Let’s see about getting the root flag.

If you run sudo -l, you’ll see we can execute /var/www/gdb as the user thirtytwo. So we will exploit this to gain a shell as that user.
sudo -u thirtytwo /var/www/gdb -nx -ex '!sh' -ex quit

GTFOBins is a great site for figuring out if a command can be exploited or not. I highly recommend taking a look there.

For the next part, we need to get an interactive shell.
python -c 'import pty;pty.spawn("/bin/bash")'

Then we can run sudo -l and see that thirtytwo can run /usr/bin/git as the user d4rckh. We will exploit that with this command.
sudo -u d4rckh /usr/bin/git help config

Once you get a prompt, use !/bin/sh to get a new shell.

Now we are d4rckh! We found our first flag in this user’s home folder so we will navigate there first. Run ls -la and we see there is a file called “cleanup.py” owned by root that we can write to.

Reading the file, we notice we can have this script execute system commands with os.system(). Before we write anything, we need to see how to get the command to run as root. Our user is not part of the sudo group and if we run sudo -l, we are asked for a password. (Don’t press CTRL+C! You’ll have to start all over!)

Check out /etc/crontab.

The script we can abuse runs every two minutes as root. Perfect! Let’s carefully edit that script with a command to get us the root flag.
echo "os.system('cat /root/root.txt > /home/flag; chmod 444 /home/flag')" >> /home/d4rckh/cleanup.py

I say carefully because entering bad code means we have to type it all over again! No one wants that pain.

In about two minutes, we can check to see if we got our root flag.

Part 3

If you’re like me and entered the wrong command to get the root flag, it definitely feels like game over.

The best thing to do is to terminate the remote machine and redeploy. This means you have to re-upload the reverse shell script. Hope you took notes.

Once that is done and you’re logged back into the machine, you can skip the lateral escalations and go straight for the root escalation. Remember, anyone can write to “cleanup.py” and cron will run it as root!

Cautiously edit the script with your command, wait two minutes, and viola!

So why go through all the trouble if we can just do this? Sometimes, it takes a lot of jumping around to get the right permissions to get the exploit. Imagine if the cleanup script was in a subfolder that only d4rckh could read and write to. Suddenly our quick solution is invalid and we would have to jump to a different user to try to get permission to edit the script!

With that said, I’m glad this quick solution exists. No tab complete, cursor navigation, or up arrow for previous commands make this an irksome task to complete.

WriteUp: Gotta Catch’em All

Another fun and relatively easy CTF from the website TryHackMe! I swear, this is by far my favorite site for learning pentesting techniques and getting some practical experience!

This CTF is about Pokemon and though you can probably guess the answer to “Find the Grass-Type Pokemon”, you probably won’t know how to present that answer. Good fun!

Deploy the machine and let’s get started!

First things first. We need some information about the machine. Run a basic nmap command for any open ports we may be able to leverage.
nmap -sS -sV <ip_address>

We got http and ssh open. Can’t do much with ssh so let’s take a look at the website. One thing I like to do before navigating to the site is having something like gobuster searching for directories.
gobuster dir -u <ip/domain> -w <wordlist>

When you go to the webpage of the ip address, you’re greeted with an adorable Apache2 default welcome page. Sorry, no Pikachu here. But maybe gobuster found something?

A bunch of 403s won’t do us any good. All we get is that default page…or do we?

At the very bottom of the webpage, there is something that looks out of place. A colon, all alone. To find out why it’s there, let’s look at the page source.

The source page has the typical css, javascript, and html trio. If you want, you can take some time with the javascript but it is not a clue. Believe me, I’ve tried. Instead look towards the bottom and there are two tags that doesn’t look like html.

I’ll admit this took me a while to get and I face palmed myself once I realized what I was looking at. Right there in plain sight, ssh credentials! Now that we have those, we can leave the browser and ssh into the machine.
ssh <user>@<ip_address>

Once we’re in, run the groups command. Our user is a part of many groups but not sudo. If we try sudo -l, we get a message that the user may not run sudo as root. Taking a look at the file permissions of /etc/passwd and /etc/shadow does not give us any kind of leverage we can use. And there’s nothing special in /etc/crontab. Looks like we won’t be escalating privileges yet so we’ll explore a little.

Running ls and ls -a on the home directory of our user does not yield anything interesting. If we look in the Desktop folder…

There is a zip file. Unzip it using the unzip command and we’ll see that our first flag is now available! There is a catch though. The flag is encoded. It is up to you figure out the encoding. Once you do, you’ll have the grass-type flag!

Going back to our home directory, we can list the contents of the other folders which gives nothing back except for one folder. The “Videos” folder has a folder called “Gotta”. Interesting. Navigate to that folder and the sub-folders that follow. There is a file at the end of the folder path that ends in “.cplusplus”. Run cat on this file.

We got credentials for another user! Before we use these credentials, let’s see if we can find any other flags as the user we currently are.

At this point, we still need the water and fire type flags. Good thing we can search based on keywords from the flags. We will use the find command to see if we can get the other two flags.
find / -name "water-type*" 2>/dev/null

This shows us that there is a file called “water-type.txt” under /var/www/html. Run the cat command on the file and you’re presented with something resembling the flag. This flag needs to be decrypted and once again, I leave that up to the reader to figure out but as a hint, the ancient romans would be proud.

To find the fire-type flag, we will run the find command again but changing out the word “water” for “fire”.
find / -name "fire-type*" 2>/dev/null

Once again, we get a path to a file called “fire-type.txt”. Run cat on the file and you’ll get the third flag…encrypted. And as before, it’s up to you to figure out what the encryption is. All I can say is all your blank are belong to us.

What about root’s favorite pokemon?

Personally, I think it’s Psyduck but we got another set of credentials we can try out. Login to the other user’s account with the following command.
su <new_username>
After logging in, run the groups command. You’ll see that this user is a part of sudo!

One thing you may notice quickly is that this user doesn’t have a home folder to go to. Check out the “/home/” folder with sudo ls -l.

Although it’s redacted, we can see that our new user’s home directory is owned by root however we can read the “roots-pokemon.txt” file. Read it with the cat command to get the final flag! No tricks!

And that’s it! Congratulations on completing the CTF!



Side Note

When I originally did this challenge, I did not use the above steps after the initial ssh login. Instead, I was able to cat the .bash_history of the user and saw all of the commands taken to create the files for the flag and the additional user. I copied that to a temporary file in /tmp and used it as my guide to hunt the flags.

While writing this writeup, I found out that the .bash_history is now completely empty. This was certainly a surprise as I had thought that was the way to do the challenge. I now like to think I hacked the hacking challenge…or got really lucky that the bash history wasn’t cleared out.

Thank the hacking gods that there is a find command.

WriteUp: Bounty Hacker

This is another guide for a free CTF challenge on the website TryHackMe. I personally really like this site and if you’re interested in pentesting, this site is another great resource!

On to the challenge!

Not only is this challenge relatively easy, it is Cowboy Bebop themed! So double the fun for me!

After deploying the machine, we need to find all of the open ports. We can do this using nmap.
nmap -sS -sV -Pn <ip address>

We got 3 ports open: FTP, SSH, and HTTP.

If we take a quick look at the IP through the browser, we get our mission objective where upon success, we are rewarded with Jet’s famous bell pepper and beef dish! Beyond that, there is nothing worth noting but it is not a bad habit to run a dirbuster or dirsearch on the IP address or checking the source code.

Let’s see if we can use an anonymous login on FTP. Connecting to the IP address through FTP and sign in with the username “anonymous” and no password.

Awesome! Use the ls command and see that there are two files. Download them to your machine with the get command. Exit out of the FTP session and take a look at the task.txt file.

Now we know who wrote the task list!
The file locks.txt looks like a bunch of possible passwords. One could say it looks like a wordlist. Perfect for trying to brute force our way into the machine using hydra!
hydra -l <username> -P locks.txt <ip_address> -t 4 <protocol>

Because the next few commands include flags, there’s going to be a lot of masking. However, if you know which port your trying to brute force, you’ll get the password and you can login.

Now we got the user flag! Time to get the coveted root flag!
Unfortunately, the user we login as is not in the sudo group. So let’s try sudo -l and see if our user is in the sudoers file at all.

Ignoring all of the masking, we see that our user can use the tar command as root! But how can we use this command to get our flag?

A website that is great for helping us figure out how to exploit the tar command is GTFOBins. This site has an extensive list of linux commands that can be used to escalate privileges and if we search for tar, we see we can get access to a shell. Let’s modify the command a little to skip the shell and go straight to that root flag.

sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec="/bin/cat /root/root.txt"

And there we have it! Turn in the root flag and go enjoy some of that bell pepper and beef!

Enjoy!

WriteUp: Brooklyn Nine Nine

In a previous post, I mentioned that a great place to learn hacking techniques is a site called TryHackMe. Since joining the site myself, I have learned a lot of techniques. Some of which I use in my role for a cyber security company. And to show off the culmination of everything I am learning, I am going to walk through the steps to retrieve the flags from the room Brooklyn Nine Nine on TryHackMe. This is a free room to join and a relatively easy CTF.

Let’s begin!

There are two way to get the flags from this box but first things first. We run the box’s IP address through nmap.
nmap -sS -sV <ip_addr>

Method 1

Notice from the scan that port 21 is open. This is the default port for FTP which means we may be able to do an anonymous login.
ftp <ip_addr>
Type in anonymous as the username and enter a blank password.

Now that we are here, let’s see what we can find. Run the ls command and see that there is a file we can download with the get command. Once the file is on our computer, cat it to revel this message.

Now we know that Jake is using a weak password. The questions are: Password to what? How do we get it?
Recall from the nmap scan that port 22 is open which is the default port for SSH. We could run the ssh command over and over again trying to guess the password but who has time for that? Let’s use Hydra instead!
Hydra is great for cracking weak passwords for SSH logins. In the command below, we give it a username, a wordlist, an ip address, and the protocol.
hydra -l jake -P rockyou.txt 10.10.5.193 ssh

Jake’s password is now ours! If you need the “rockyou.txt” wordlist, you can download it from here.
Let’s try our newfound password for Jake in SSH.

Let’s find some flags!
The first one is the “user” flag. Normally, we can run ls and see that the user flag is in our home directory. But it’s not this time! We can look for the user flag using the find command.
find / -type f -name "user.txt" -exec ls -l {} \; 2>/dev/null

We found the file so let’s read it with cat to get that first delicious flag!

The second flag requires us to become root to read “/root/root.txt”. Let’s see if Jake is in the sudo group. Running groups shows us that Jake is not to be trusted with that much power but he still might have some privileges. Run sudo -l.

Jake is able to use less as root. We can use this command to read files instead of cat.
sudo less /root/root.txt

And with that, we have escalated our privileges and got that pesky root flag! Submit to TryHackMe and enjoy your new badge!

Method 2

There is a port from the nmap scan that wasn’t used in method 1. Port 80. Visiting the ip address in a browser takes us to this rather simple webpage.

Besides this lovely picture and text, not much to see here. If we take a look at the page’s source code though, there is a comment asking us if we have heard of steganography. If you have, then you can guess that the picture is protecting more than just the big city. If not, do a quick Google search.
Save the picture to your computer. Next, we will use a tool call steghide to extract any hidden data from the picture, if it exists. You can download steghide through the apt repository if you are using a Debian based machine. Run the following command to extract any hidden data from the picture.
steghide extract -sf brooklyn99.jpg

I will admit, I was a little baffled here. I was hoping for a password not being needed in order to extract any hidden data. If you run dirsearch or dirbuster on the ip address, you will find there is not much more to explore via the browser. All seems lost but fear now! There is a tool to crack steganography passwords!

Stegcracker can crack our steganography password and can be found here. If you have pip3, the install is simple!
pip3 install stegcracker

Now let’s see if we can crack a password. Run stegcracker on the picture using a wordlist.
stegcracker brooklyn99.jpg rockyou.txt

We will use this password in steghide. Run the steghide extract command again and use the password. You should get a message telling you the file “note.txt” was extracted. Open the file and we now have Holt’s password!

Let’s try this password out on ssh. SSH into the box as holt and enter his password. We get in with no problem! Now to find those scrumptious flags!
To find the user flag, run ls. Immediately, we see the file “user.txt”. Read that and get the user flag.

Now to find the root flag.
As always, let’s see if we belong to the sudo group by using the groups command. This does not look promising but there is still sudo -l.

Holt can use the nano editor as root. Let’s open up nano using sudo nano. It will take us to a blank page with some options listed at the bottom. One option that catches our interest is the “Read File” option. Hit CTRL+R and then CTRL+T to bring up a filesystem. We can use this to navigate to a file we want to read. Since we are running nano as root, we can go straight to “/root/root.txt” and get our flag!

Conclusion

This box is pretty easy to get into with the assumption that you have decent linux command line skills, good researching skills, and some basic knowledge of pentesting. And if this wasn’t easy, no problem! TryHackMe is chock full of rooms that teach the basics. If may seem difficult at first but if you stick to it, you’ll be crafting your own writeup helping others one day too!

Happy Hunting!

BSides Idaho Falls – Day 2

The second annual BSides Idaho Falls conference is now done and it was great! There were many things to do but I kept things relatively low key in comparison to yesterday. Nevertheless, I got a lot out of this conference and once again it had me thinking of my next steps going forward in my career in cyber security.

Most of my time today was dedicated to the Tinkerer’s Village to learn more about my badge. Since the badge is a circuit board with LED lights, a resistor and a microprocessor, I just added one extra resistor to the circuit board to produce different colors than what the badge originally came as. This was nice but I was not quite satisfied. My badge periodically flashed red which indicated that an error had been tripped. That was no fun. Also, I wanted to get access to the microprocessor to tweak the coding. I’ve learned that the best way to do this as a beginner is to connect the badge to an arduino board and tweak it from there. I have some research to do once I am home again.

In second place for where I spent most of my time goes to the Career Village. As someone who feels that everything sounds interesting, it was good to get some grounding and a sense of direction. I learned about resume writing, a bit about self-marketing, and really got a sense of what I can bring to the community at large. Learning about these things were not new. If you have ever been to a class about resume building or mock interviews, you have probably experienced these lessons as well. What made the lessons from today different for me is that they were specifically designed for people in cyber security. This changed how I would talk about myself and how I present my job history. These are skills that people in the industry (IT/CyberSec) should have.

In third place, the memory forensics seminar. Thanks to my time trying out digital forensics in the past, I had some exposure to memory forensics though I had never delved into it. This seminar introduced tools like Volatility, DumpIt, RedLine, and LiME. I also learned concepts specific to memory forensics. A good example is that memory from a peripheral device gets mapped to the system memory address space. If I remember correctly, system memory address space is notwhat software programs load into to run because that address space is used by the OS and messing with it could cause the machine to crash. Instead, programs use a virtual address space where it thinks it loads at slot number 0 when in reality it is loading at some completely different slot nnumber in actual memory. It seems a peripheral makes it more difficult to capture data from memory. It was a good lecture to attend!

By the end of the conference, I began networking (another soft skill worth knowing) and gained a new mentor: my instructor from the cloud forensics seminar! Having a mentor feels as if it will boost my career and give me more opportunity to contribute back and help others. Speaking of which, networking also gives me chances to help others, collaborate, and learn. Networking is not a trait I naturally have but developing it has been a big boon. Technical people need connections too!

One last major thing happened that I cannot skip over. Due to my performance as team lead during the CTF (Capture The Flag) challenge yesterday, I received a challenge coin! It is the first time I received one and it was unexpected! Now I feel I have to get even better in this field.

I likely have more to say about my thoughts on my experience at the conference but it is getting late and I am saving all of my final thoughts for the next blog post. Stay tuned!

BSides Idaho Falls – Day 1

Today, I woke up to ominous clouds and chilling rain. Not what I was hoping for the first day of the conference. In my mind, I could only think this was a sign that I would be an embarrassment to the cyber security community. Not to mention that my frustrations with setting up my AWS machine for the seminar continued after writing the blog post yesterday. That is another story that I plan to write about more since it sparked a new blog idea.

Overall impressions of the conference? Amazing!

I joined the seminar on Cloud Forensics taught by Kerry Hazelton. There were concepts in the seminar that were familiar: The different kinds of cloud. What is cloud computing? Who owns the data you put into the cloud? Then there were things like vendor-locking or the CLOUD Act that I absolutely did not know about! The seminar definitely had me thinking of ways to expand professionally and tinkering with cloud security more.

Another thing the seminar made me ponder about is getting new certifications. He mentioned a few but the CCSK (Certificate of Cloud Security Knowledge) seems like a good place to start. And since this was focused on forensics, I wondered about trying my hand at forensics again. It might be easier to practice on instances in the cloud. Not to mention, I can blog about that too!

I also got to meet some really nice people as well. One thing that I found amazing when meeting people was how humble everyone was. There was the sense that everyone felt they did not really know anything and wanted to learn as much as possible. How much of the former is true is legitimately questionable but the latter was definitely true. No matter what the skill levels were, everyone wanted to be better. It was refreshing!

Then came the CTF (Capture The Flag) event for our seminar. We were all split randomly into teams…then I moved to a different team to help even the numbers…then more people came late and just joined our team. In total, we were a massive nine person team compared to the average size of four! And guess who was elected as team leader?

We all did not really know how to go about the CTF but I may have had best idea of what was expected. I did capture the first flag for our team which was pretty cool but I still tip my hat to the team member who got the 1000 point flag! That was amazing and really pumped the team!

Meanwhile, I had to keep track of at least three different challenges the team as a whole was working on. I’ll tell you. Working on an encryption, network and two stenography challenges at the same time is not easy. However, I found that I was a pretty good resource of random information and often could point people in the general direction to solving the challenges. I also taught a few new linux commands to one of my teammates who I am soo happy he had a linux vm on his computer! There were a couple challenges that were easier to do thanks to him!

In the end, our team came in 2nd place! My imposter syndrome kicked in and told me that we didn’t deserve it because there were nine of us. A few seconds later, I disregarded that thought and replaced it with a new one. Our team consisted of people who mostly have never done any kind of CTF challenge and were new to cyber security. And we came in 2nd! We congratulated each other and the team member who solved that 1000 point challenge got a custom challenge coin! We did really well!

At the end of the day, many of the conference attendees gathered together to play board games. It was relatively relaxing and we continued to meet more great people. There were a ton of games but I opted to play only one game called “Jamaica”. It was great looting gold from people and attacking ships on a gamble.

Despite the deathly looking clouds and the freezing rain, this was a great start to the conference. I’m looking forward to tomorrow. Especially the Tinkerer’s Village. Stay tuned!