May 31, 2019 at 19:21Victory at PHDays 9. We share life hacks in three parts. Part 2
Hello! My name is Vitaliy Malkin. I am the head of the security analysis department at Informzashchita and part-time captain of the True0xA3 team. A little over a week ago, we won one of the most prestigious competitions of white hackers in the CIS. In the last article (if you missed it, you can read it here ) we talked about the importance of preliminary preparation. In this - I’ll talk about what happened directly at the competitions themselves, explain why it is sometimes important to make adjustments to existing plans during the game and why, in my opinion, none of the protected offices was hacked.
9:45 MSK. The
day began when we were given the results of MassScan-a launch. We started from the fact that we immediately wrote out all the hosts with an open 445 port and at exactly 10.00 we launched the ready-made metasplit checker for MS17-010. Guided by our plan, task No. 1 was to capture the bigbrogroup domain, so it was simultaneously broken by two people from our team at once. In the diagram below you can see the initial distribution of our team members by office.
As can be seen from the diagram, we covered almost all offices. And here the fact that there were 20 people in the team helped a lot.
10:15
By this time, one of the Team-1 members finds a host in bigbrogroup.phd that is vulnerable to MS17-010. We exploited the vulnerability in an incredible hurry. A few years ago we were already in a situation when we got a meterpreter shell to an important node and after 10 seconds we were thrown out of it, simultaneously closing the port. This year this did not happen: we successfully capture the node, close the SMB port and change the RDP port to 50002. We take a very responsible attitude to the issue of maintaining access, so we add a few more local administrators and set up our own RAT. After that we move on.
10:25
We continue to deal with what we found. In addition to the fact that this node has access to the internal network and to the domain controller, a domain administrator token is also found on it. This is the jackpot! We immediately check to see if he is “rotten”, and there is no limit to our joy. The first domain has fallen. Hacking time - 27 minutes 52 seconds.
Finally, after half an hour from the start of the competition, we still go to the hackers portal and try to understand what we need to do to get the public. We see a standard set: credentials of a domain administrator, administrator of workstations, exchange, as well as several tops. We download from the ntds.dit domain, simultaneously uncovering the CUDA station. Imagine our surprise when we saw that the domain has a reversible encryption mode enabled, which allows us to get all user passwords in clear text. To form an understanding of which users are of interest to us, we involved two people from Team-1 to analyze the structure of AD and its groups. Five minutes later, we got all the answers. We send them to the portal and start to wait. Honestly - by that time I really wanted to shed the first blood to maintain morale, so to speak,
a) the checker is automated;
b) the checker has a hard format;
c) the checker did not accept our answer a few seconds after sending the answer, because It was in the wrong format.
Having mastered the format, at about 11.00 we get the coveted First blood. Yeah!
11:15
Team-1 is divided into two parts. Participants of one subcommand continue to gain a foothold in the domain: receive krbtgt, strengthen the domain, change passwords for accounts. Even at the briefing, the PHDays organizers made it clear that whoever got up first was wearing slippers. Therefore, we change the passwords on the accounts to be sure: if someone kicks us out, they will receive a minimum score.
Team-2 continues to research the domain, and finds the answer to another task. On the desktop of the financial director a financial report was found, so necessary for someone. But the trouble is that it is in the archive, which is password protected. Well, it’s not for nothing that we uncovered a CUDA station. With a flick of the wrist we turn the archive into a hash and send it to hashcat.
Team-2 at this time finds some interesting services with RCE and starts to “twist” them. This is monitoring in CF-media, built on the basis of Nagios. This is a charting system from a ship company, built on the technology that we see for the first time. And also some other potentially interesting services such as the converter from DOC to PDF.
The second subcommand of Team-1, meanwhile, is engaged in the bank and finds an interesting base on MongoDB, in which, among other things, there is the name of our team and its balance in some system. We “twist” our balance of 50 million and move on.
14:00
We are overtaken by the first setbacks. Firstly, the two services on which we received RCE in the protected segments became unavailable. The defenders simply turned them off. Of course, we are going to complain to the organizers. This does not lead to anything. Well, yes, in Standoff, alas, there is no business that would give such a cap. In addition, we can not find a list of customers. We assume that it is hidden somewhere in the depths of 1C, but there are no bases or working configurations. This is a dead end.
We are trying to raise the VPN channel between our remote servers and the ICS network. For unknown reasons, we do this on the bigbrogroup domain controller, and when the bridge between the interfaces is built, the connection is disconnected. The domain controller is unavailable. The part of the team that captured the bigbrogroup almost had a heart attack: the first quarrels begin, the general tension is growing.
Suddenly, we realize that the domain controller is still available from our servers, but the channel is very unstable. As in the turn-based strategy - we disable the bridge mode through RDP, the domain controller is again available. Fuh !!! Everyone calms down. We eventually raise the VPN from another server, we cherish and cherish the domain controller. All teams have zero scores, this is reassuring.
16:50
The organizers finally publish the miner and we, using psexec, install it on all nodes controlled by us. We get an additional stable income.
Team-2 is screwing up the Nagios vulnerability. A vulnerable version <= 5.5.6 CVE-2018-15710 CVE-2018-15708 is installed there. A public exploit exists, but uses a reverse connection to download a web shell. We are behind NAT, so we have to rewrite the exploit and break it into two parts. The first forces Nagios to connect to our remote server via the Internet, and the second, located directly on the server, gives Nagios a web shell. After receiving the web shell, WSO was downloaded and the vulnerable PHP script “magpie_debug.php” was deleted. This gives us proxy access to the CF-media domain. The connection is unstable and it's hard to use, we decide to send the exploit to Bug-bounty, and at this time we are trying to “upgrade” to Root.
18:07
And here are the promised surprises from the organizers: BigBroGroup buy CF-media! In general, we assumed a similar turn. In the course of the study of the bigbrogroup domain controller, we noticed the trust between this domain and the cf-media domain.
Unfortunately, at that time there was no network access. But at the time of the merger announcement, he appeared. This freed us from the headache associated with paging through nagios. Bigbrogroup credentials run on cf-media, but users are unprivileged. There are no easily exploited vulnerabilities, but we do not despair. Something must be.
18:30
We are knocked out of the domain controller BigBroGroup. Who! Where? It seems like a CARK team. They change the password of the domain administrator, but we have four backups. Change back, reset all passwords. It doesn’t help, they beat us out again. At the same time, we find vectors in CF-media. One of the servers uses the same local administrator password as in the bigbrogroup domain. Well, password reuse, it remains to pick up the hash! Using hashkiller we find the password - "P @ ssw0rd". We break further.
19:00
The battle for bigbrogroup does not stop. TSARKA changes the password twice to krbtgt, we lost all admins. This is the end?
19:30
We get the CF-media admin domain, start passing flags. Despite the fact that the domain seems to be configured as securely as possible, reverse encryption is again enabled. We receive appearances, logins, passwords. We repeat everything as in the previous domain: we fix, harden, change passwords, pass VPN. We find the second financial report. By the way, what's up with the first one? The first has already been twisted, but not accepted by orgs. It turns out that you need to hand over the encrypted 7z !!! There was no need to brute anything, three hours in vain !!!
As a result, we hand over both. We have about 1 million points, the CARK 125,000, the rest by zeros. CARKA begins to turn in flags with Bigbrogroup. We understand that this needs to be urgently stopped, but HOW ?!
19:45
There was a solution !!! We still have the credentials of local administrators. We connect, pick up the ticket and decide to simply drop the domain. The domain is sent to power off, close all ports on servers except RDP, change the passwords of local administrators. Now we are on our own, and they are on our own. Still, to achieve stable VPN operation and everything in general would be excellent. Exhaled ...
We scatter miner across all nodes in the CF-media domain. The TsARKA overtakes us in total, but we are clearly catching up with them, because we have more power.
In the picture you can see the distribution of the team at night.
The guys gradually begin to go home. By midnight, nine people remain. Efficiency is greatly reduced. Every hour we leave to wash and breathe — so as not to fall asleep.
Getting to the ACS TP.
02:00
The night is very hard. We find vectors several times, but they are already closed. It is not entirely clear whether they were originally closed, or the CARKA has already visited us here and closed them. Gradually getting accustomed to automated process control systems, we find a controller vulnerable to attack through NetBus. Using the metasplit module, we do something, not fully understanding what. The light in the city goes out. The organizers are ready to set off the task if we can turn on the light back. At this point, the VPN connection drops again. The server on which the VPN is deployed is under the control of the CARK. Again, it seems that this is the end: we discussed the ICS too noisy and they were able to somehow disconnect us.
3:30 a.m.
The most persistent "cuts" a dream. Only seven remain awake. Suddenly (for no apparent reason) the VPN starts working again. We quickly repeat focus with light. There are +200.000 publishes !!!
Part of the team continues to search for other vectors, part continues to work actively with ICS. We find two more potential vulnerabilities. We manage to exploit one of them. The result may be overwriting the controller firmware. We agree with the organizers that we will wait until the morning and together decide what to do.
05:30
VPN works 10 minutes per hour, the rest of the time it dies. We are trying to find at least something. Our performance is almost at zero. We decide to sleep at least an hour. SPOILER: a bad idea.
Five guys continue to break the ACS TP.
By morning, we understand that we have substantially come off by the points from the rest, by almost 1 million. CARKA was able to pass two tasks from ACS TP and several tasks from telecom and bigbrogroup. They have already mined a lot, but according to our estimates, they have a stock that they have not yet sold. At the current rate, it reached 200-300 tons of public. This scares us: there is a feeling that they may have several more flags in the zashashnik that they can save for the final spurt. In our regiment arrives. The morning sound check on the site is a little annoying, but invigorating.
We are still trying to break the ACS TP, but without much hope. The gap between the teams applying for first and second place, and the rest is too big. We do not believe that the organizers will leave everything as it is.
After a joint performance with CARK on the stage, we change the paradigm from “you need to score more points”, to “you need to prevent the CARK from gaining more points”.
On one of our servers, launch Cain & Abel and transfer all traffic to our server. We find several Kazakh VPNs, we “chop” them. As a result, we decide to hack all the traffic, set up a local firewall on the gateway to ban all traffic in the ICS network (this is how to protect the ICS). The organizers come running and say that they do not have access to ACS TP. We saw them accesses for their IP addresses (here's how you don't need to protect ICS).
12:47
No wonder they were nervous. The organizers throw another surprise. Out of nowhere, four domain accounts for each domain pop up. We mobilize the team.
The task of Team-1 is to get into the protected segments as deeply and quickly as possible. The task of Team-2 is to use Outlook Web Access to change passwords for accounts. Some defenders, having seen something, just turn off the VPN. Some do it trickier - they translate their systems into Chinese. Functionality works, but it’s impossible to use (orgy, ay!). Via VPN, we connect to three networks. Throws us out of the first in a minute.
12:52
We find on the network a behealthy server vulnerable to MS17-010 (protected! Segment). We operate without encountering resistance, we get the hash of the domain administrator and through Pth we go to the domain controller. Guess what we find there? Reversible Encryption!
It seems that those who defended this segment did poorly homework. We get all the information for tasks, except for the part related to 1C. There is an option to pick it up for another 40-50 minutes, but we decide to just drop the domain. We do not need competitors.
13:20 We
hand over tasks: we have 2.900.000 points and several unacceptable bug bounties. The CARKs have a little more than 1 million. They surrender their cryptocurrency and raise 200 tons. We are no longer very afraid, it is almost impossible to catch up with us.
13:55
People come up, congratulations. We are still afraid of some kind of setup, but it seems not, we are really champions!
Here is a chronicle of 28 hours from True0xA3. A lot of what remains behind the scenes. For example, going on stage, tormenting Wi-Fi and GSM, talking with reporters, but it seems to me not the most interesting.
It was a very cool experience for all of us and I hope that I managed to convey at least a little the atmosphere that has surrounded us all this time and show how interesting it is to participate on our own. There is yet another, the last article, in which we will evaluate our mistakes, and try to draw up a plan for their correction. After all, there is nothing better than learning from the mistakes of others.
The first day
9:45 MSK. The
day began when we were given the results of MassScan-a launch. We started from the fact that we immediately wrote out all the hosts with an open 445 port and at exactly 10.00 we launched the ready-made metasplit checker for MS17-010. Guided by our plan, task No. 1 was to capture the bigbrogroup domain, so it was simultaneously broken by two people from our team at once. In the diagram below you can see the initial distribution of our team members by office.
As can be seen from the diagram, we covered almost all offices. And here the fact that there were 20 people in the team helped a lot.
10:15
By this time, one of the Team-1 members finds a host in bigbrogroup.phd that is vulnerable to MS17-010. We exploited the vulnerability in an incredible hurry. A few years ago we were already in a situation when we got a meterpreter shell to an important node and after 10 seconds we were thrown out of it, simultaneously closing the port. This year this did not happen: we successfully capture the node, close the SMB port and change the RDP port to 50002. We take a very responsible attitude to the issue of maintaining access, so we add a few more local administrators and set up our own RAT. After that we move on.
10:25
We continue to deal with what we found. In addition to the fact that this node has access to the internal network and to the domain controller, a domain administrator token is also found on it. This is the jackpot! We immediately check to see if he is “rotten”, and there is no limit to our joy. The first domain has fallen. Hacking time - 27 minutes 52 seconds.
Finally, after half an hour from the start of the competition, we still go to the hackers portal and try to understand what we need to do to get the public. We see a standard set: credentials of a domain administrator, administrator of workstations, exchange, as well as several tops. We download from the ntds.dit domain, simultaneously uncovering the CUDA station. Imagine our surprise when we saw that the domain has a reversible encryption mode enabled, which allows us to get all user passwords in clear text. To form an understanding of which users are of interest to us, we involved two people from Team-1 to analyze the structure of AD and its groups. Five minutes later, we got all the answers. We send them to the portal and start to wait. Honestly - by that time I really wanted to shed the first blood to maintain morale, so to speak,
a) the checker is automated;
b) the checker has a hard format;
c) the checker did not accept our answer a few seconds after sending the answer, because It was in the wrong format.
Having mastered the format, at about 11.00 we get the coveted First blood. Yeah!
11:15
Team-1 is divided into two parts. Participants of one subcommand continue to gain a foothold in the domain: receive krbtgt, strengthen the domain, change passwords for accounts. Even at the briefing, the PHDays organizers made it clear that whoever got up first was wearing slippers. Therefore, we change the passwords on the accounts to be sure: if someone kicks us out, they will receive a minimum score.
Team-2 continues to research the domain, and finds the answer to another task. On the desktop of the financial director a financial report was found, so necessary for someone. But the trouble is that it is in the archive, which is password protected. Well, it’s not for nothing that we uncovered a CUDA station. With a flick of the wrist we turn the archive into a hash and send it to hashcat.
Team-2 at this time finds some interesting services with RCE and starts to “twist” them. This is monitoring in CF-media, built on the basis of Nagios. This is a charting system from a ship company, built on the technology that we see for the first time. And also some other potentially interesting services such as the converter from DOC to PDF.
The second subcommand of Team-1, meanwhile, is engaged in the bank and finds an interesting base on MongoDB, in which, among other things, there is the name of our team and its balance in some system. We “twist” our balance of 50 million and move on.
14:00
We are overtaken by the first setbacks. Firstly, the two services on which we received RCE in the protected segments became unavailable. The defenders simply turned them off. Of course, we are going to complain to the organizers. This does not lead to anything. Well, yes, in Standoff, alas, there is no business that would give such a cap. In addition, we can not find a list of customers. We assume that it is hidden somewhere in the depths of 1C, but there are no bases or working configurations. This is a dead end.
We are trying to raise the VPN channel between our remote servers and the ICS network. For unknown reasons, we do this on the bigbrogroup domain controller, and when the bridge between the interfaces is built, the connection is disconnected. The domain controller is unavailable. The part of the team that captured the bigbrogroup almost had a heart attack: the first quarrels begin, the general tension is growing.
Suddenly, we realize that the domain controller is still available from our servers, but the channel is very unstable. As in the turn-based strategy - we disable the bridge mode through RDP, the domain controller is again available. Fuh !!! Everyone calms down. We eventually raise the VPN from another server, we cherish and cherish the domain controller. All teams have zero scores, this is reassuring.
16:50
The organizers finally publish the miner and we, using psexec, install it on all nodes controlled by us. We get an additional stable income.
Team-2 is screwing up the Nagios vulnerability. A vulnerable version <= 5.5.6 CVE-2018-15710 CVE-2018-15708 is installed there. A public exploit exists, but uses a reverse connection to download a web shell. We are behind NAT, so we have to rewrite the exploit and break it into two parts. The first forces Nagios to connect to our remote server via the Internet, and the second, located directly on the server, gives Nagios a web shell. After receiving the web shell, WSO was downloaded and the vulnerable PHP script “magpie_debug.php” was deleted. This gives us proxy access to the CF-media domain. The connection is unstable and it's hard to use, we decide to send the exploit to Bug-bounty, and at this time we are trying to “upgrade” to Root.
18:07
And here are the promised surprises from the organizers: BigBroGroup buy CF-media! In general, we assumed a similar turn. In the course of the study of the bigbrogroup domain controller, we noticed the trust between this domain and the cf-media domain.
Unfortunately, at that time there was no network access. But at the time of the merger announcement, he appeared. This freed us from the headache associated with paging through nagios. Bigbrogroup credentials run on cf-media, but users are unprivileged. There are no easily exploited vulnerabilities, but we do not despair. Something must be.
18:30
We are knocked out of the domain controller BigBroGroup. Who! Where? It seems like a CARK team. They change the password of the domain administrator, but we have four backups. Change back, reset all passwords. It doesn’t help, they beat us out again. At the same time, we find vectors in CF-media. One of the servers uses the same local administrator password as in the bigbrogroup domain. Well, password reuse, it remains to pick up the hash! Using hashkiller we find the password - "P @ ssw0rd". We break further.
19:00
The battle for bigbrogroup does not stop. TSARKA changes the password twice to krbtgt, we lost all admins. This is the end?
19:30
We get the CF-media admin domain, start passing flags. Despite the fact that the domain seems to be configured as securely as possible, reverse encryption is again enabled. We receive appearances, logins, passwords. We repeat everything as in the previous domain: we fix, harden, change passwords, pass VPN. We find the second financial report. By the way, what's up with the first one? The first has already been twisted, but not accepted by orgs. It turns out that you need to hand over the encrypted 7z !!! There was no need to brute anything, three hours in vain !!!
As a result, we hand over both. We have about 1 million points, the CARK 125,000, the rest by zeros. CARKA begins to turn in flags with Bigbrogroup. We understand that this needs to be urgently stopped, but HOW ?!
19:45
There was a solution !!! We still have the credentials of local administrators. We connect, pick up the ticket and decide to simply drop the domain. The domain is sent to power off, close all ports on servers except RDP, change the passwords of local administrators. Now we are on our own, and they are on our own. Still, to achieve stable VPN operation and everything in general would be excellent. Exhaled ...
We scatter miner across all nodes in the CF-media domain. The TsARKA overtakes us in total, but we are clearly catching up with them, because we have more power.
Night
In the picture you can see the distribution of the team at night.
The guys gradually begin to go home. By midnight, nine people remain. Efficiency is greatly reduced. Every hour we leave to wash and breathe — so as not to fall asleep.
Getting to the ACS TP.
02:00
The night is very hard. We find vectors several times, but they are already closed. It is not entirely clear whether they were originally closed, or the CARKA has already visited us here and closed them. Gradually getting accustomed to automated process control systems, we find a controller vulnerable to attack through NetBus. Using the metasplit module, we do something, not fully understanding what. The light in the city goes out. The organizers are ready to set off the task if we can turn on the light back. At this point, the VPN connection drops again. The server on which the VPN is deployed is under the control of the CARK. Again, it seems that this is the end: we discussed the ICS too noisy and they were able to somehow disconnect us.
3:30 a.m.
The most persistent "cuts" a dream. Only seven remain awake. Suddenly (for no apparent reason) the VPN starts working again. We quickly repeat focus with light. There are +200.000 publishes !!!
Part of the team continues to search for other vectors, part continues to work actively with ICS. We find two more potential vulnerabilities. We manage to exploit one of them. The result may be overwriting the controller firmware. We agree with the organizers that we will wait until the morning and together decide what to do.
05:30
VPN works 10 minutes per hour, the rest of the time it dies. We are trying to find at least something. Our performance is almost at zero. We decide to sleep at least an hour. SPOILER: a bad idea.
Five guys continue to break the ACS TP.
Morning
By morning, we understand that we have substantially come off by the points from the rest, by almost 1 million. CARKA was able to pass two tasks from ACS TP and several tasks from telecom and bigbrogroup. They have already mined a lot, but according to our estimates, they have a stock that they have not yet sold. At the current rate, it reached 200-300 tons of public. This scares us: there is a feeling that they may have several more flags in the zashashnik that they can save for the final spurt. In our regiment arrives. The morning sound check on the site is a little annoying, but invigorating.
We are still trying to break the ACS TP, but without much hope. The gap between the teams applying for first and second place, and the rest is too big. We do not believe that the organizers will leave everything as it is.
After a joint performance with CARK on the stage, we change the paradigm from “you need to score more points”, to “you need to prevent the CARK from gaining more points”.
On one of our servers, launch Cain & Abel and transfer all traffic to our server. We find several Kazakh VPNs, we “chop” them. As a result, we decide to hack all the traffic, set up a local firewall on the gateway to ban all traffic in the ICS network (this is how to protect the ICS). The organizers come running and say that they do not have access to ACS TP. We saw them accesses for their IP addresses (here's how you don't need to protect ICS).
12:47
No wonder they were nervous. The organizers throw another surprise. Out of nowhere, four domain accounts for each domain pop up. We mobilize the team.
The task of Team-1 is to get into the protected segments as deeply and quickly as possible. The task of Team-2 is to use Outlook Web Access to change passwords for accounts. Some defenders, having seen something, just turn off the VPN. Some do it trickier - they translate their systems into Chinese. Functionality works, but it’s impossible to use (orgy, ay!). Via VPN, we connect to three networks. Throws us out of the first in a minute.
12:52
We find on the network a behealthy server vulnerable to MS17-010 (protected! Segment). We operate without encountering resistance, we get the hash of the domain administrator and through Pth we go to the domain controller. Guess what we find there? Reversible Encryption!
It seems that those who defended this segment did poorly homework. We get all the information for tasks, except for the part related to 1C. There is an option to pick it up for another 40-50 minutes, but we decide to just drop the domain. We do not need competitors.
13:20 We
hand over tasks: we have 2.900.000 points and several unacceptable bug bounties. The CARKs have a little more than 1 million. They surrender their cryptocurrency and raise 200 tons. We are no longer very afraid, it is almost impossible to catch up with us.
13:55
People come up, congratulations. We are still afraid of some kind of setup, but it seems not, we are really champions!
Here is a chronicle of 28 hours from True0xA3. A lot of what remains behind the scenes. For example, going on stage, tormenting Wi-Fi and GSM, talking with reporters, but it seems to me not the most interesting.
It was a very cool experience for all of us and I hope that I managed to convey at least a little the atmosphere that has surrounded us all this time and show how interesting it is to participate on our own. There is yet another, the last article, in which we will evaluate our mistakes, and try to draw up a plan for their correction. After all, there is nothing better than learning from the mistakes of others.