CTF 2016: Write Up by Thomas Sluyter

Michael Tong Sang april 1, 2016

CTF036 security event in Almere

2016-04-01 19:01:00

A few weeks ago Almere-local consulting firm Ultimum posted on LinkedIn about their upcoming capture the flag event CTF036. Having had my first taste of CTF at last fall’s PvIB event, I was eager to jump in again!

The morning’s three lectures were awesome!

  • Neelen & van Duijn’s talk on boobytrapping your network was fun to theorycraft new ideas, while it also gave me a blast of nostalgia: their three ideas of making attrictive fake hosts, fake admin-users and fake files all reminded me of Clifford Stoll’s “The Cuckoo’s Egg where the exact same ideas were applied to catch a CCC-hacker in the early eighties.
  • Tong Sang’s talk on bruteforcing RFID badges might not have resulted in a practical attack vector, but it still gave a nice look into the workings of RFID access systems.
  • Schuijlenburg gave an interesting look into “mobile forensics” as performed by the dutch, military police. Good stuff!

The afternoon’s CTF provided the following case (summarized): “De Kiespijn Praktijk is a healthcare provider whom you are hired to attack. Your goal is to grab as many of their medical record identifiers as you can. Based on an email that you intercepted you know that they have 5 externally hosted servers, 2 of which are accessible through the Internet. They also have wifi at their offices, with Windows PCs.” The maximum score would be achieved by grabbing 24 records, for 240 points.

I didn’t have any illusions of scoring any points at all, because I still don’t have any PenTesting experience. For starters, I decided to start reconnaissance through two paths: the Internet and the wifi.

As you can see from my notes it was easy to find the DKP-WIFI-D (as I was on the D-block) MAC address, for use with Reaver to crack the wifi password. Unfortunately my burner laptop lacks both the processing power and a properly sniffing wlan adapter, so I couldn’t get in that way.

I was luckier going at their servers:

  • Their website was found at www.dekiespijnpraktijk.nl, at 172.20.16.15. It runs on Drupal, which included a forum (which in turn allowed HTML comments).
  • Digging the DNS server for dekiespijnpraktijk.nl found aliases like ns1 and mta for that IP. An nmap scan showed ssh, dns, http, squid and webmin.
  • A ping sweep across that IP range also found 172.20.16.25 which apparently didn’t have DNS records, but turned out to be running their IMAP and POP, as well as Squirrelmail webmail.
  • The second server ran ssh, ftp, www, imap and pop.
  • From their forums I ascertained that there were at least four verified user accounts: Sanne (an employee) and patients Remon, Barry and Marijke. I couldn’t register a new account.
  • Firing up Metasploit allowed me to use an exploit on the .25 hosts’s ProFTPd, to immediately get root access. BAM! GREAT!
  • On the .25 host I found:
  1. Sanne’s home directory, which actually contained a text file with “important patients”. BAM! Three medical records!!
  2. The /etc/shadow file had an easily crackable password for user Henk. Unfortunately that username+password did not let me access the .15 server through SSH or Webmin.
  3. Sanne has a mailbox! In /home/vmail I found her mailbox and it was receiving email! I used the Drupal site’s password recovery to access her Drupal account.

I didn’t find anything using Sanne’s account on the Drupal site. But boy was I wrong! 16:00 had come and gone, when my neighbor informed me that I simply should have added q=admin to Sanne’s session’s URL. Her admin section would have given me access to six more patient records! Six!

Today was a well-spent day! My first time using Metasploit! My first time trying WPA2 hacking! Putting together a great puzzle to get more and more access 🙂 Thanks Ultimum! I’m very much looking forward to next year’s CTF!

Source: Thomas’ personal website: https://www.kilala.nl/index.php?id=2352