So just recently, I participated in the 2018 Metasploit CTF. I got some flags,
created some shells with my team, and had some fun. It ranged from being difficult in certain challenges and some being really straightforward. We ended up getting about 5 flags (I know, not a whole lot but this was my first time participating in a CTF like this) and I feel very accomplished of myself and my team on how much we did. I defenetly will be doing this CTF next year as it’s a very good one, and I learned a lot with it. The following methods used to acquire the flags below were in collaboration with the team (B0rn2r00t, jetson23, Nukez, T, and fir, thank you guys) and is not solely my work. All credit goes to everyone involved in the CTF team.
The CTF was organized in a very interesting way. There are three boxes in total, two were targets (one being a Windows interface and one being a Linux interface) and to be able to attack these targets, you had to access them through a Kali Linux box that was provided to you through a given IP. Once connected to this box we can then go ahead and attack the targets through the terminal given. (Although I did not realize this until after the competition, you could configure proxychains in the Kali box to be able to use tools outside of the box instead of being limited to the provided CLI and tools.)
The three of clubs was a very simple challenge. This one could be found by simply reading the entire rules on the CTF site. Once you do, you will find a line that will look like this
Upon looking at this, it tells us to go to a website on the Linux machine hosted on port 31063. We can access this through a terminal program known as links.
Once the page loads up, we are immediately asked how to describe the reward we are seeking in one word in a text field below. If we read the rules, it mentions a splendiferous reward that is to be found on this server. If we take a look at the source, it takes what we input into the field, adds .png at the end of it and treats it as a URL.
Therefore, we can just use a simple wget request to get our flag
And the three of clubs is now ours!
From here, we decided to run a port scan on the Ubuntu machine. We tried the windows machine but we were unable to get any flags from it, so there won’t be any information about it here. The following was the output of the scan
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-01 08:16 UTC
Reading this, we can see that there is an http service running on port 8080, after further analysis, it appears to be an Apache Struts instance.
8080/tcp open http-proxy
Through further analysis, we figured out that the version of the Struts instance is running 2.3.x and thankfully, there is an exploit available on Metasploit. The module’s name is exploit/multi/http/struts2_code_exec_showcase. We proceeded to exploit it and used the payload cmd/unix/reverse_bash.
The options we used are below:
Module options (exploit/multi/http/struts2_code_exec_showcase):
We happened to get a shell with this, but now we must hunt down for the flag. Luckily, we were able to find it in the directory
/usr/local/tomcat/tmp. Upon looking in here we were able to find the 10 of hearts.
This flag was a difficult one, as it involved a lot of different things to be done to get the flag. When we did our Nmap scan we noticed port 25 was open and running an SMTP server. We decided to see if we can find an open relay on the server, and sure enough, there was.
msf5 auxiliary(scanner/smtp/smtp_relay) > exploit
Using another module, we also found out that the SMTP server was a Sendmail 5.51/5.17 server. Just like the 10 of hearts, there is an exploit for this specific version. We then searched for anything related to sendmail and got these results.
There is one big detail that helped us in determining which exploit to use. Seeing the timestamp from the earlier relay scan, it mentions that it was ready at December 1, 1986, which when we look at the disclosure dates next to the modules, we can see that in 1988-11-02 the Morris Worm was disclosed. We decided to go with this module along with the cmd/unix/reverse payload. Thankfully we were successful.
msf5 exploit(unix/smtp/morris_sendmail_debug) > exploit
We don’t seem to be root in the system, so let us go ahead and see if we can get some password hashes. Using
cat /etc/passwd we manage to get some password hashes, and we are done with our shell. We put the hashes into hash-identifier and it tells us that it is using the DES hash algorithm. Using hashcat with the rockyou wordlist, we were able to crack the hashes.
ec2-user@kali:~/ubuntu$ hashcat -m 1500 hashes --wordlist /usr/share/wordlists/rockyou.txt --force
We now can login with these credentials, but we are not able to access a certain folder, namely
/etc/guest/hunter. When we ran his hash in hashcat, it wasn’t successful with the rockyou wordlist, so we had to do a brute-force attack.
hashcat -m 1500 IE4EHKRqf6Wvo -a 3 ?1?1?1?1?1?1?1 -i --increment-min=6 --force
Thankfully, it was successful and we find the password to be msfhack. Using this we switch to hunter to access his folder. Upon access, we find the movemail program is in there which also happens to have a suid of root, allowing us to copy any file in the system. Using this we copied over the 2 of Diamonds.
movemail /usr/games/lib/2_of_diamonds.dat /usr/guest/2_of_diamonds.dat
Unfortunately, it’s encrypted and unreadable but while poking around, we found an adventure file. Of course, we copied it over.
movemail /usr/games/adventure /usr/hunter/adventure
We made the adventure file executable and ran it. I will spare the details since it takes a while but once you complete it, you will get a password to decrypt the 2 of Diamonds.
To get the 5 of Spades, you simply needed to poke around in Metasploit a bit. Once we did, we found a very interesting module called exploit/multi/ctf/flag. Using it outputs this:
5_of_spades is at http://host-ip:9021/0.png
All we have to do is initiate a wget request, and the flag is ours.
To find the 8 of diamonds, we must look at a service running on port 8181. Upon further investigation, it seems to be running an http server. Using wget, we can download the webpage and analyze it locally on the console.
wget http://172.16.28.37:8181/ -o page.html
Upon investigation of the html site, there seems to be some JS code found in the file. Upon further analysis, it seems to be obfuscated under IlluminateJS. We can easily use https://illuminatejs.com/ and paste the obfuscated code into the site to be decrypted.
Once we do, it outputs some ciphertext encoded in base64. All we have to do is copy this into a text file and decrypt it
base64 -d flag.txt flag
Once we do, it outputs a png file which just so happens to be our flag!
Again, this CTF was very interesting and educating to both me and my team. I would like to thank my teammates and Rapid7 for this CTF. Without them, I could not do most of the things in this CTF. I hope and expect to do this again next year.