Louisville Metro InfoSec CTF
Last week I went to Louisville for the annual Louisville Metro Information Security Conference. As part of this conference, Irongeek (Adrian Crenshaw), hosted a CTF event. You can read more about the event at his site, but I’ll recap a bit for you here my experience.
The general concept behind the scenario was you were brought in to do a pentest on a network. On this network there is a file with personally identifiable information (PII: names + ssn) that was encrypted. The file in question was zipped and password protected with 7zip, then saved in a hidden TrueCrypt volume. Theoretically, this should keep the PII safe, assuming the network admins use their heads and keep their passwords safe, but of course, they didn’t.
So, the first part of the challenge was to find the wireless network which was not broadcasting its SSID. IronGeek suggests using Kismet to find it, and that was my original plan, but while I was still hooking up my gear I pulled out my CrackBerry and did a quick scan for wireless network, and sure enough it found IrongeekCTF. So I didn’t bother with Kismet and just associated myself with IrongeekCTF, got an IP, and started scanning the network. We were told we needed to find a Windows box, a Linux box, and a non-x86 system. I used nmap to scan the network and quickly identified all the targets. Specifically I scanned with:
# nmap -sT -sV -O 10.0.0.1-100
The -sT specified a Connect scan, which is quick and easy, and in a real pentest also easily recognizable by IDS, but in this situation who cares. The -sV enables version scanning to let me know what version of what service is running on the ports located on the remote system. And finally the -O is OS detection. We were given the IP range to attack, so that pretty much found me everything I needed to know for this section of the challenge.
Now that we’ve identified some targets, it’s time to start hacking. The nature of the challenge, and what specific “flags” we needed were made known some time before the challenge, so I already knew I’d need a password for a hidden TrueCrypt volume as well as for a 7zip file. I also know there is not a real practical way to recover these types of passwords without an admin screwing up somewhere, so I was looking for a couple of specific things. I did find some ways to bruteforce both TrueCrypt and 7zip, but these methods take FOREVER! Since the entire competition was only a few hours long, I knew this wouldn’t work unless the passwords were less than 3 characters long. So I started with the assumption that the fictitious admins of the network in question wrote the password down somewhere and all I had to do was find it. All that being said, the next step in the challenge was to find the Windows administrator password, but I noticed a web server running on the Linux box, so I pulled up the website from that box first. What I found was an intranet site that included a login, a “My notes” section, and a chat log between the admins. The chat log revealed the admins didn’t think it was necessary to patch a Windows XP box if it was behind a firewall ( so there’s one easy target), it also revealed that the user named greg saved the password to the TrueCrypt volume in “my notes”, and the user john wrote the password to the 7zip file on a post-it and stuck it to his monitor. At this point I also noticed the 3rd non-x86 system was named “CAM”. So at this point I knew I needed greg’s password for the intranet site to get the TrueCrypt password, and I thought there was a good chance CAM led me to a camera that was pointed at a monitor somewhere with the 7zip password attached.
So, now I really started hacking. First off the Windows box was unpatched, so you could pretty much pick any windows exploit you wanted to get in. I think most everyone used the infamous MS03-026, as did I. I also think pretty much everybody used metasploit and meterpreter to get into the windows box and extract the password hashes. In preparation for this even I downloaded a couple hundred Gigs worth of Rainbow Tables and brought them on an external hard drive. So once I had the hashes I just had to wait for the Rainbow Tables to do their magic.
After about half an hour I had the Administrator password as well as the password for greg and john. Turns out, these passwords worked on the Linux box as well, so I didn’t even have to crack it. So now I’ve got Administrator on the windows box and root on the Linux box, and now I’m looking for the logins to the intranet site, which if you remember was on the Linux box (which I now have root on). I should also mention that the encrypted PII file was in /home/greg on the Linux box. So after sftping the file to my laptop I have it now.
Now I needed greg’s password for the intranet in order to get the TrueCrypt password in his “My Notes” section. The intranet site is susceptible to an SQL injection attack and if you watch IronGeek’s video you can see how he was able to login. I went a different route. Once I had root on the Linux box I went to /root/.bash_history to see what might be revealed. What I learned was that there was a php file edited by root in the /var/www directory recently. A quick read of this file actually revealed it to be a script used to setup the DB, and in it were the usernames and passwords of all the intranet users. I know someone else dumped the password directly from MySQL.
So, I logged in as greg to the intranet site and got the password for the hidden TrueCrypt volume, all that was left was the 7zip file. Port 80 was open on the last non-x86 based box which was named “CAM” and after opening it up in a web browser it turned out to be an IP cam after all. So I’m doing really well at this point and am pretty sure I’m ahead of everyone, or at least in the top 3, and this is where I get stuck. I spend the next several hours finding out everything I can about this cam and the webserver it’s running on. I keep looking for some kind of vulnerability, I try some brute-forcing, all the while I DO have a 7zip bruteforce running, though VERY slowly, and I’m out of luck.
Finally, Rel1k (Dave Kennedy, one of the first place winners, also a BackTrack4 developer) mentions ARP poisoning. So I fire up ettercap, notice some traffic between the IP cam and the windows box and poison ARP to have all traffic between these two boxes pass through my laptop first. In a couple of seconds ettercap gives me the cam’s password, then I login, see the post-it attached to a monitor, use it on the 7zip file and I’m done! I got 3rd place when it was all said and done. It seems several others were at the exact same point that I was and when Rel1k gave us that hint we all finished pretty quickly, within minutes of each other. I was about 10 minutes from being either 2nd or 4th. I should also mention that the webcam in question was pointed away from the password and had to be rotated via the web interface. This little fact hung up the winning team for quite some time.
That’s my story! So how was it? It was loads of fun. Adrian did a great job. He came up with an interesting challenge that wasn’t too difficult, so several beginners, such as myself, could get involved, and yet the creativity with the camera even kept the experts guessing for some time. I’m looking forward to next year and hope I can make it again.
What are some things I might like to see added, or suggestions for next year? Maybe there could be more investigating work on the targets. For example, we need to find a document in an email in Outlook, or even extract it from Exchange. I know it would take more work and some volunteers, but it would also be cool if there were actual users to social-engineer. Honestly, if it wasn’t for the camera, the challenge would have been too short. I think it should start out at the level of complexity it was, but more difficult challenges later on would have been even better. Of course, Adrian probably has other things to do with his time, but I’m sure he could find some help. I’d volunteer!
[...] Professional) from Offensive Security. I also went to the Louisville Metro Infosec in 2009 and got 3rd place in their CTF. I’ve been working in IT for over a decade now and currently work as a sysadmin for a [...]