{"id":1998,"date":"2016-04-13T13:33:52","date_gmt":"2016-04-13T11:33:52","guid":{"rendered":"http:\/\/securite.intrinsec.com\/?p=1998"},"modified":"2016-04-13T13:33:52","modified_gmt":"2016-04-13T11:33:52","slug":"write-up-sthack","status":"publish","type":"post","link":"https:\/\/www.intrinsec.com\/en\/write-up-sthack\/","title":{"rendered":"Write-up \u2013 Stack"},"content":{"rendered":"

We were present at the Stack <\/a>This year again for the CTF team event. The challenge brought together 35 teams, and we finished in 8th place.th<\/sup> position with 15850 points in total:<\/p>\n

\"1\"<\/a><\/p>\n

One of the challenges worth 4200 points, which according to the organizers had a low success rate, was the "See you on the other side" system challenge:<\/p>\n

\"2\"<\/a><\/p>\n

This challenge consisted solely of analyzing a network capture:<\/p>\n

\"3\"<\/a><\/p>\n

Upon opening it, we notice that this capture only contains Wifi traffic corresponding to the 802.11 standard:<\/p>\n

\"4\"<\/a><\/p>\n

An analysis of all the frames indicates that they are encrypted using the WEP protocol:<\/p>\n

\"5\"<\/a><\/p>\n

The use of the tool "\u00ab\u00a0Aircrack-ng<\/strong>\u00a0\u00bbThis allows us to perform a brute-force attack on this capture and thus easily recover the WEP encryption key used:<\/p>\n

\"6\"<\/a><\/p>\n

This key can then be used to decrypt all traffic:<\/p>\n

\"7\"<\/a><\/p>\n

Traffic analysis reveals the sending of a file "leo.tar.bz2" via the FTP protocol to an external server with IP address 52.49.251.67:<\/p>\n

\"8\"<\/a><\/p>\n

Once extracted, this archive contains a number of files:<\/p>\n

\"9\"<\/a><\/p>\n

In addition to images of our favorite Pok\u00e9mon, 3 files are present in the ".ssh" folder:<\/p>\n

\"10\"<\/a><\/p>\n

So we have a private key, but not the IP address to connect to. A quick look at the "know_hosts" file reveals that it is... hashed using the SHA1 algorithm:<\/p>\n

\"11\"<\/a><\/p>\n

We therefore need to perform a "brute force" type attack on the target server's IP address.<\/p>\n

But which IP range should be used? The tool "\u00ab\u00a0whois<\/strong>\u00a0\u00bb"on the IP address "52.49.162.186" gives us several pieces of information, including the IP range "52.48.0.0\/14":<\/p>\n

\"12\"<\/a><\/p>\n

The following Python script (https:\/\/github.com\/Churro\/bruteforce-known-hosts<\/a>) allows brute-forcing the identified IP range to search for the target server:<\/p>\n

\"13\"<\/a><\/p>\n

Bingo!!!<\/p>\n

\"14\"<\/a><\/p>\n

All that remains is to connect to the server and retrieve the flag. We therefore try several accounts and thus find the correct user account (leo):<\/p>\n

\"15\"<\/a><\/p>\n

Once connected, the "teleporter_code" file seems interesting to us:<\/p>\n

\"16\"<\/a><\/p>\n

Of course, access permissions on it are restricted:<\/p>\n

\"17\"<\/a><\/p>\n

Privilege elevation is therefore necessary. A quick search for files belonging to the user "tp" and having the suid bit set reveals an interesting binary:<\/p>\n

\"18\"<\/a><\/p>\n

Using one of the tool's features, we can execute system commands:<\/p>\n

\"19\"<\/a><\/p>\n

And thus retrieve the flag for this challenge:<\/p>\n

\"20\"<\/a><\/p>","protected":false},"excerpt":{"rendered":"

We were at the Sthack again this year for the CTF team competition. The [\u2026]<\/p>","protected":false},"author":22,"featured_media":2022,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[19,22],"tags":[],"class_list":["post-1998","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-soc-securite-operationnelle","category-veille-securite"],"yoast_head":"\nWrite-up \u2013 Sthack - INTRINSEC<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.intrinsec.com\/en\/write-up-sthack\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Write-up \u2013 Sthack\" \/>\n<meta property=\"og:description\" content=\"Nous \u00e9tions pr\u00e9sents \u00e0 la Sthack cette ann\u00e9e encore pour le CTF en \u00e9quipe. Le […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.intrinsec.com\/en\/write-up-sthack\/\" \/>\n<meta property=\"og:site_name\" content=\"INTRINSEC\" \/>\n<meta property=\"article:published_time\" content=\"2016-04-13T11:33:52+00:00\" \/>\n<meta name=\"author\" content=\"Walid ARNOULT\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Walid ARNOULT\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/write-up-sthack\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/write-up-sthack\\\/\"},\"author\":{\"name\":\"Walid ARNOULT\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/9dd16d3e1ff8da71d0dc1b9573880ef0\"},\"headline\":\"Write-up \u2013 Sthack\",\"datePublished\":\"2016-04-13T11:33:52+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/write-up-sthack\\\/\"},\"wordCount\":429,\"commentCount\":0,\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/write-up-sthack\\\/#primaryimage\"},\"thumbnailUrl\":\"\",\"articleSection\":[\"SOC S\u00e9curit\u00e9 Op\u00e9rationnelle\",\"Veille S\u00e9curit\u00e9\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.intrinsec.com\\\/write-up-sthack\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/write-up-sthack\\\/\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/write-up-sthack\\\/\",\"name\":\"Write-up \u2013 Sthack - INTRINSEC\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/write-up-sthack\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/write-up-sthack\\\/#primaryimage\"},\"thumbnailUrl\":\"\",\"datePublished\":\"2016-04-13T11:33:52+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/9dd16d3e1ff8da71d0dc1b9573880ef0\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/write-up-sthack\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.intrinsec.com\\\/write-up-sthack\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/write-up-sthack\\\/#primaryimage\",\"url\":\"\",\"contentUrl\":\"\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/write-up-sthack\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\\\/\\\/www.intrinsec.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Write-up \u2013 Sthack\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/\",\"name\":\"INTRINSEC\",\"description\":\"Notre m\u00e9tier , Prot\u00e9ger le v\u00f4tre\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.intrinsec.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/9dd16d3e1ff8da71d0dc1b9573880ef0\",\"name\":\"Walid ARNOULT\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/?s=96&d=retro&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/?s=96&d=retro&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/?s=96&d=retro&r=g\",\"caption\":\"Walid ARNOULT\"},\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/author\\\/walid-arnoult\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Write-up \u2013 Sthack - INTRINSEC","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.intrinsec.com\/en\/write-up-sthack\/","og_locale":"en_US","og_type":"article","og_title":"Write-up \u2013 Sthack","og_description":"Nous \u00e9tions pr\u00e9sents \u00e0 la Sthack cette ann\u00e9e encore pour le CTF en \u00e9quipe. Le […]","og_url":"https:\/\/www.intrinsec.com\/en\/write-up-sthack\/","og_site_name":"INTRINSEC","article_published_time":"2016-04-13T11:33:52+00:00","author":"Walid ARNOULT","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Walid ARNOULT","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.intrinsec.com\/write-up-sthack\/#article","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/write-up-sthack\/"},"author":{"name":"Walid ARNOULT","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/9dd16d3e1ff8da71d0dc1b9573880ef0"},"headline":"Write-up \u2013 Sthack","datePublished":"2016-04-13T11:33:52+00:00","mainEntityOfPage":{"@id":"https:\/\/www.intrinsec.com\/write-up-sthack\/"},"wordCount":429,"commentCount":0,"image":{"@id":"https:\/\/www.intrinsec.com\/write-up-sthack\/#primaryimage"},"thumbnailUrl":"","articleSection":["SOC S\u00e9curit\u00e9 Op\u00e9rationnelle","Veille S\u00e9curit\u00e9"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.intrinsec.com\/write-up-sthack\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.intrinsec.com\/write-up-sthack\/","url":"https:\/\/www.intrinsec.com\/write-up-sthack\/","name":"Write-up \u2013 Sthack - INTRINSEC","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.intrinsec.com\/write-up-sthack\/#primaryimage"},"image":{"@id":"https:\/\/www.intrinsec.com\/write-up-sthack\/#primaryimage"},"thumbnailUrl":"","datePublished":"2016-04-13T11:33:52+00:00","author":{"@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/9dd16d3e1ff8da71d0dc1b9573880ef0"},"breadcrumb":{"@id":"https:\/\/www.intrinsec.com\/write-up-sthack\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.intrinsec.com\/write-up-sthack\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.intrinsec.com\/write-up-sthack\/#primaryimage","url":"","contentUrl":""},{"@type":"BreadcrumbList","@id":"https:\/\/www.intrinsec.com\/write-up-sthack\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.intrinsec.com\/"},{"@type":"ListItem","position":2,"name":"Write-up \u2013 Sthack"}]},{"@type":"WebSite","@id":"https:\/\/www.intrinsec.com\/#website","url":"https:\/\/www.intrinsec.com\/","name":"INTRINSEC","description":"Our job is to protect yours.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.intrinsec.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/9dd16d3e1ff8da71d0dc1b9573880ef0","name":"Walid ARNOULT","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/?s=96&d=retro&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/?s=96&d=retro&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/?s=96&d=retro&r=g","caption":"Walid ARNOULT"},"url":"https:\/\/www.intrinsec.com\/en\/author\/walid-arnoult\/"}]}},"_links":{"self":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/1998","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/users\/22"}],"replies":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/comments?post=1998"}],"version-history":[{"count":0,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/1998\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/media?parent=1998"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/categories?post=1998"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/tags?post=1998"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}