Pages

2/27/2013

Hack Fight - CTF at CDIC 2013 Write Up

Yesterday (Feb 27, 2013), I had a chance to participate in a hacking, capture-the-flag(CTF) style, competition called Hack Fight in Cyber Defense Initiative Conference (CDIC) 2013 at Centara Grand Hotel, Bangkok, along with other two team mates - Mayaseven and Xelenonz. And we won the 2nd place :)

It was a great experience. I want to thank my team mates. Although we were struggling in teamwork and communication, we pulled through :)  And also, I want to give my thanks to ACIS's red-team for setting up this CTF for us to play with. It was really fun.

Now, about the CTF, here are the rules:
  1. 3 hours
  2. no exploitation
  3. no disrupting to the other teams
  4. internet is allowed
And here are very brief explanation of the flags:
  1. hack wireless access-point
  2. compromise the web server
  3. find another host in the internal network, get into it, and retrieve key.txt and secret.rar
  4. find the password inside secret.rar (may involve rar-cracking)
My team can only captured 2 flags and it ran out of time :(

1. Hack The Wifi

We had been assigned to take on a wifi AP named "HackFight3". It was configured with WEP encryption, with no client on it. 

It should be an easy job and done in minutes, but it were few problems. One of them is, we-three tried to crack the same wifi at the same time. The packets were running wild, and we cannot tell whether it was the right one that should capture and work-on, or not. A small disaster.

2. Compromise The Server

After getting into the wireless LAN, there is no DHCP server inside. The organizer told us to use static IP addresses range from 10.10.10.100 - 10.10.10.199 for this network. So, we did as what we were told.

After ping scanning the whole C class, we found a server located at 10.10.10.200 and default port scanning said it was opening a port 80. It's a web server with Wordpress on it.

On a first glance, it was a wordpress website, with many video posts. The videos can be played (even though we were in internal network), so there must be a player and the video files inside this server.

Use wpscan revealed that this wordpress using twentyone theme and webplayer plugin. It was confirmed when I captured the HTTP requests when I browsed to the pages.

Then, searching through exploit-db (I had a local copy) found that "webplayer" plugin has a flaw that allows to use SQL-injection on the URL path like this:

http://site.com/wp-content/plugins/hd-webplayer/config.php?id=[INJECT HERE]
It works. We then quickly dumped the admin's hash from wp_users table, and then tried to crack the hash.

It should not take long to crack the wordpress hash without salt on the internet, but at the beginning, our internet connection is very poor (unusable). We switched to CPU+GPU cracking. We tried several wordlist sets but no one seemed to work. We lost considerable amount of time. Then P'Tum lent us his 3G internet, so we could crack that hash online. The admin's password was: 
H@ckFigHT4dic 
When we tried to use this password, another problem arose. 

The login page ( /wp-admin ) was blocked by HTTP authentication, and it used a different set of password.

We turned back to the SQL injection bug, to find the password for this HTTP authentication. This server also allowed to read files via SQL, so we did it to read C:/Documents and Settings/tester/Desktop/UsbWebserver-CWH/Root/.htaccess file. 

It stored password for HTTP authentication at C:/Documents and Settings/tester/Desktop/password.txt and we read that file too, then we found the hash like this:
$apr1$XXXXXXXX$XXXXXXXXXXXXXXXXXXXXXX
(Since, we didn't break this out, I want to censor the hash for safety)

It is APR1-MD5 hash that used for .htaccess file. 

We back to hash cracking again, this time with a salted-hash. And again, it took a lot of time, tried several sets of wordlist ( ~1GB in total) and still it doesn't crack.

After awhile, Xelenonz found a way to by-pass this HTTP authentication on this server. He used Netcat connecting to the server and tried "GETS /wp-admin HTTP/1.0" instead of "GET /wp-admin HTTP/1.0". And it works, even it looks painful to read the page in HTML in console.

Later in few minutes, the organizer decided to reveal an easier way to do that. By using Burp Suite to replace every GET header with other word (such as LOL). Our team were in disarray again, because I was using BackBox linux and it does not have Burp installed, and the alternative tool installed is OWASP ZAP Proxy which I am not familiar with. (I had experience with Burp Suite and OWASP WebScarap before, which are very alike in their user interface, but ZAP is totally different.) My team mates had problems in using this filter in Burp Suite as well. 

Anyway, my team mates did this, and be able to gain access to the Wordpress' admin page, and upload a php shellcode as a plugin. Then we can use the shellcode at the location like:
http://10.10.10.200/wp-content/uploads/2013/02/shell.php
At this point, we captured the 2nd flag, but we only have 20 minutes left to do the other two. 

We spent the rest of the minutes in trying to upload a meterpreter shell (3 times for 3 machines) and trying to route to internal network through the sessions and doing ping scan on the network. It turned out that ICMP was blocked to disable ping scan, we were thinking that we could not route through.

3. Retrieve key.txt And secret.rar From An Internal Server

We did not pass this step, so the followings are the solution given by the organizer.

After getting a shell on the web server, a simple command "ipconfig" can reveal that the server has 2 network interfaces: 10.10.10.0/24 and 192.168.72.0/24

The server containing file "key.txt" and "secret.rar" was located inside the network 192.168.72.0, so we need to gain access to that network using this web server as a pivot point. (web server's IP addresses are 10.10.10.200, 192.168.72.131)

First upload, a meterpreter packed in .EXE format onto the server using the PHP shell from the previous flag. Then run the meterpreter file on the server to get a session back to metasploit.

In metasploit, after getting the session, put the session into the background first, then create a route to that session ID (in this case, session ID = 1) using this command:
msf> route 192.168.72.0 255.255.255.0 1
Using a command, "route print", to confirm the routing to opening session #1
Subnet            Netmask           Gateway
------               -------                 -------
192.168.72.0  255.255.255.0  Session 1
At this point, using Metasploit's auxiliary tool, named "arp_scanner" (post/windows/gather/arp_scanner), with options of 
RHOST=192.168.72.0/24
SESSIONS=1
to scan the internal network.

The internal hosts will be displayed as following:
192.168.72.1
192.168.72.2
192.168.72.128
192.168.72.131
192.168.72.254
The reason to use ARP scan because the organizer setup a firewall to block ICMP in the internal network. It is a sure way to do the scan.

Then, you can also use auxiliary/scanner/portscan to scan the ports of these hosts to find a way to break in. 

It seems to be a 445-port opened on the server 192.168.72.128, the other hosts were decoys.

Port 445 is a port that Windows use for file sharing, duped "SMB protocol" in linux. We need to use smbclient tool to get access to it. But there are two problems:
  1. smbclient is an external tool, outside Metasploit. It will not see the routing.
  2. what is the credential to use when connecting to the server?
The first problem can be solved by using a meterpreter command portfwd. To use it:
msf> sessions -i 1
meterpreter> portfwd add -l 9999 -r 192.168.72.128 -p 445
This will create a tunnel on our machine port 9999 <-----> 192.168.72.128:445

Then we can list all shares using smbclient command as:
$ smbclient -p 9999 -L 127.0.0.1
It has /share to access, but it needs a credential.

Now the 2nd problem, how to get a credential to access the remote SMB share.

There is a tool named Windows Credentials Editor (WCE) that can collect the credentials on the windows machine. And since we have one, the web server, we can upload this tool using PHP shell and run it to get the result.

Or we can use some Metasploit's post exploitation module (post/windows/gather/credentials/credential_collector, or post/windows/gather/cachedump) to collect the credentials.

The result from this would be something like (I cannot recall it exactly) :
tester\T8 : 5plus4==10!@#$%^&*()
NETWORK SERVICE\WORKGROUP : 5plus4==10!@#$%^&*()
So, we can use smbclient to connect to the remote share with username "tester" and password "5plus4==10!@#%^&*()"
smbclient -p 9999 //127.0.0.1/C$/ -U tester
After connected, the available commands are very similar to FTP : dir, get, mget, cd, lcd, rm, del

There will be 2 files inside "\Users\Administrator\Desktop\Shared" folder: key.txt and secret.rar 

Download those files using "get" command and this flag is done.

4. Unpack The Rar

As told earlier, the rar file contains the final answer, and it has to be unpack with password from key.txt

Unfortunately, key.txt is no ordinary file. (obviously?)

This file contains some kind of base64 encryption of some thing. 

After decrypt using base64 decryption, it comes out a hex string like it is from a hex dump, which is something like:
ab a1 78 a6 d8 9f  ...  
        (this is not the real ones in the challenge, but just for you to get the picture)

Trying to put this string back to its binary value, it still incomprehensible. Then it might be a binary file.

Save that as a file, then using some hex editor tool to look at its file header (first few characters). 

It appears that the file header of this binary is "Rar" (this exact word was shown), so we now know that this binary is a rar archive file. Then save it to .rar then unpack it.

After unpack this rar file (from key.txt), there is only one file inside, called "key.pdf"

Again, this file is not normal either, because it will not be displayed if you double-click it.

And yet again, we need to read the header of this file, and this time, it is "PNG" in the file's header.

Then, rename the file from "key.pdf" to "key.png" and open it with any image viewer. The password key is displayed in the image. The password is: 
CDICCONFERENCE
To confirm it, use that password to unpack the secret.rar file. It has only one image file, which when opened with a image viewer displayed
"the final flag captured"
And that is the end of the challenge.


Thank you for reading.

----------------------------------------------------------------------------------
Update on March 2, 2013: update contents on Challenge #3 to be more accurate.

No comments:

Post a Comment