Remember this? http://www.netsoc.dit.ie/2012/01/trip-to-campuscon-wit-form/ Forgot to mention, two of us headed down from netsoc DIT and won! Myself (Mark Cunningham) and Declan Curran.
Here’s a quick write up on what the challenge was and how we cracked it. A big thank WIT Hacking society for putting on the conference and Seán Ó Briain (@SeanOBriain) for creating the challenge. It was a lot of fun.
Introduction
The story behind the challenge was that a bomb is ticking down and we have to crack through the challenges and disarm the bomb before it blew up (there was obviously no real bomb just to clarify). The challenge consisted of 3 parts where at the end of each one, you were able to enter your team name. Our team name was “Club Mate.” (not a well chosen name I admit, especially as I think the stuff takes like crap)
Cracking the challenge
Initially we were given 2 ip addresses and told which one to start with.
The first server was called WOPR (wargames reference – great movie) running ubuntu. We port scanned it and found a http and ssh server running.
The web server consisted of a range of games. Series of urls had urls with parameters included (such as ?game=bla). These urls were vulnerable to sql injection.
Using one of these injection points, we pulled out two interesting tables. A “users” table and an “ssh-users” table. The users table contained an md5 hash. We cracked it with john the ripper and used the login to enter our our team name into the website. (The md5 hash wasn’t salted so we could have just googled it however we hadn’t got internet hooked up at the time as there was no need. Using the wordlist from john the ripper, we cracked it in fairly little time)
The ssh-users table contained a login/password to allow us to ssh into the machine. There we found a mail log that contained a conversation. This contained login details for a website running on the second server.
The second server was running ubuntu and was named GIBSON (yes we did hack the gibson). It was also running an unknown service that when we telneted to it, we found a prompt asking us for a passphrase to disable the bomb. None of the credentails worked at this point so we moved on.
We got a .htaccess type password prompt which we used the credentials we gleaned from the mail file to login. The website had a file upload feature. We attempted to upload a php shell however there was content filtering. Using burp, we changed the type of the file to plain/text and uploaded one of our php shell scripts. This allowed us to run system commands similar to terminal access.
Once we had terminal access, we poked around the files to see what we could find and discovered one of the users in the /home directory had their directory as world readable. inside was an interesting file (i think the word “key” was in the filename) containing a random stream of characters. We submitted that key to the service prompting us for the bomb deactivation code however it was denied. We backtracked and tried various other usernames/passwords. Finally realised the string was all base64 characters, decoded it and entered the code to deactivate the bomb.
Was an enjoyable set of challenges and from what we heard aftewards, we weren’t alone in thinking that. Hope to head out next year for more challenges and again, thanks to wit hacking society and Seán Ó Briain for creating the challenge for us!
Follow Us!