New release : CTI Report - Pharmaceutical and drug manufacturing 

                 Download now

Write-up – Stack

April 13, 2016

Write-up – Stack

We were present at the Stack This year again for the CTF team event. The challenge brought together 35 teams, and we finished in 8th place.th position with 15850 points in total:

1

One of the challenges worth 4200 points, which according to the organizers had a low success rate, was the "See you on the other side" system challenge:

2

This challenge consisted solely of analyzing a network capture:

3

Upon opening it, we notice that this capture only contains Wifi traffic corresponding to the 802.11 standard:

4

An analysis of all the frames indicates that they are encrypted using the WEP protocol:

5

The use of the tool "« Aircrack-ng »This allows us to perform a brute-force attack on this capture and thus easily recover the WEP encryption key used:

6

This key can then be used to decrypt all traffic:

7

Traffic analysis reveals the sending of a file "leo.tar.bz2" via the FTP protocol to an external server with IP address 52.49.251.67:

8

Once extracted, this archive contains a number of files:

9

In addition to images of our favorite Pokémon, 3 files are present in the ".ssh" folder:

10

So we have a private key, but not the IP address to connect to. A quick look at the "know_hosts" file reveals that it is... hashed using the SHA1 algorithm:

11

We therefore need to perform a "brute force" type attack on the target server's IP address.

But which IP range should be used? The tool "« whois »"on the IP address "52.49.162.186" gives us several pieces of information, including the IP range "52.48.0.0/14":

12

The following Python script (https://github.com/Churro/bruteforce-known-hosts) allows brute-forcing the identified IP range to search for the target server:

13

Bingo!!!

14

All that remains is to connect to the server and retrieve the flag. We therefore try several accounts and thus find the correct user account (leo):

15

Once connected, the "teleporter_code" file seems interesting to us:

16

Of course, access permissions on it are restricted:

17

Privilege elevation is therefore necessary. A quick search for files belonging to the user "tp" and having the suid bit set reveals an interesting binary:

18

Using one of the tool's features, we can execute system commands:

19

And thus retrieve the flag for this challenge:

20

Contact