Image for post
Image for post

RITSEC Fall 2018 CTF — Week 1

The second week of RITSEC’s (0-based numbering scheme) CTF has concluded. Although the official presentation and challenge write-ups for the semester CTF will be posted on ritsec.club for those interested, I have more detailed write-ups here each week for the challenges I am able to solve. I do this because as a freshman, when I read the challenge write-ups they often went step-by-step but never elaborated on why a certain command was run or the strategy the user followed when solving the challenges. This is my effort to elaborate on the reasoning to the process. As always, let me know of any errors.

The challenges were updated with more details on September 9th, after my initial submission. I got the flags correct prior to the update so the process is still the same, but the new challenge hints have been added.

Topic

Following from Week 0’s “Intro to Linux” topic, this week is “Intro to Windows”. Points are earned by knowing how to use various system administration and automation tools, as well as about various obscure details of the NTFS filesystem and Windows storage locations. The challenges this week are through a customized Windows 10 (1803) virtual machine. The login is “ritsec”/“Password-123!”.

Easy 1 — Policy can be hard. Thankfully Windows has a program for it.
New hint 9/9: Enable CMD and PowerShell

Windows’ program for managing policies in versions other than Home is the Group Policy Editor. On a PC not connected to a domain, this is the local group policy and can be accessed by running gpedit.msc.

Image for post
Image for post

According to the presentation, there are about 5,000 different group policy settings, so it’s not reasonable to look through each category and try to find the flag. Fortunately, the editor has a filter function that can be applied to folders. Select the first Administrative Templates folder in the list, then use the menu to turn on the filter by choosing View > Filter On. Next, enable the keyword filter under View > Filter Options and filter for the start of a flag, in this case RS{ .

Image for post
Image for post

Apply the filter and view both Administrative Templates folders. The flag is found in the policy setting Don't run specified Windows applications under User Configuration.

Image for post
Image for post

The flag is RS{acc3ss_gr4nt3d}. While this policy is open, inspect the list of disallowed applications.

Image for post
Image for post

As Command Prompt and PowerShell are useful tools to have while participating in a CTF, disable this policy. These tools will be used later.

Easy 2 — I was told one of the admins would share the flag, but I’m not sure where…
New hint 9/9: Find the secret share

As seen on the login screen, there are many users on this system, and any of them could be an administrator. To determine which users are administrators, open the Local Users and Groups settings by launching lusrmgr.msc. Select the Users folder.

Image for post
Image for post

The user rbabarsky references a “secret share”. To view all network shares on the system, open a command prompt and run the command net share.

Image for post
Image for post

The secret share is located in the Music folder of the current user. Browse to the location. The flag is saved as a text file.

Image for post
Image for post

Medium 1 — Rivers, Lakes, Ponds…
New hint 9/9: I think there is a flag in this file but I can’t see it!

A synonym to the above words that relates to the presentation is “streams”. Specifically, this challenge will most likely involve viewing a flag inside an alternate data stream. Upon opening File Explorer for the first time, a flag file can be seen. Opening the file location gives two flags, medium-flag1.txt and medium-flag2.txt. Open the medium-flag1.txt file.

Image for post
Image for post

The file is blank. The properties of the file also list it as having a file size of 0 KB, which means there is effectively no useful data stored in the file. However, this challenge deals with alternate data streams, which are, put simply, a feature of NTFS that creates alternate storage locations when a new file is created. There are many ways to view alternate data streams, but this example will use Widows PowerShell. To view the alternate data streams for the file, use the command Get-item -Path C:\Users\ritsec\medium-flag1.txt -stream *.

Image for post
Image for post

There are an excessive amount of alternate data streams for the medium-flag1.txt file. Each stream is identified in the Stream field and the full path to access the stream is in the PSPath field. The length of the stream in bytes is the final field. To view the contents of a stream, use the command Get-Content -Path C:\Users\ritsec\medium-flag2.txt -Stream aabbcc

Image for post
Image for post

There are five stream names that don’t seem to be random. View the contents of each of these streams using the command above. The results are:

Image for post
Image for post

The hints seem to indicate that the flag is in one of the remaining streams with names that appear to be randomly generated. However, due to the number of streams that will need to be searched, this is impractical to find manually.

I wrote a script called adssearch to search the alternate data streams of a file and return text matching a search query. Find it here.

Image for post
Image for post

The flag is RS{wowzewrs-how-did-you-find-this}.

Medium 2 — Research how Windows handles file ownership.
New hint 9/9: Even though I’m an administrator I can’t open this file. What gives?!

Browse to the location of medium-flag2.txt discovered earlier. If the file is opened under the current user ritsec, an error message states that the user does not have permission to access the file. However, the ritsec user has administrative privileges and thus can modify file ownership. Open the file location and attempt to take ownership of the file by opening the context menu and selecting Properties > Security > Advanced to open the advanced security settings. Click the change button to attempt to take ownership by changing the owner of the file.

Image for post
Image for post

Unfortunately, it fails once again with the error message You do not have permission to view or edit this object's permission settings. However, Windows’ permission settings are very broad and robust and there are other ways to take ownership of the file. Go up a level in the file directory to the Users folder. There, inspect the advanced security settings of the ritsec folder through the same method used earlier with the flag file.

Image for post
Image for post

Change the owner from the Administrators group to the user ritsec by typing the user’s name into the resulting dialog box. Be sure to check Replace owner on subcontainers and objects in the advanced security settings dialog box. Approve the resulting security warning to gain access to the file.

Image for post
Image for post

Browse back to the ritsec directory and inspect the security settings, which are now available to be changed. Grant the ritsec user read access to the file by editing the list of users and their permissions, adding ritsec to the list through the dialog box and choosing the permissions appropriately.

Image for post
Image for post

Open the file. The flag is displayed, RS{ch3ck-y0ur-pr1vil3g3}.

Image for post
Image for post

Hard 1 — None
New hint 9/9: Find the secret cached credentials in memory.

There is no hint for this challenge, so perhaps the only way to find it is to spend quite some time exploring the challenge VM. Open the Credential Manager and click Windows Credentials. View the RIT credential.

Image for post
Image for post

There is no option currently available to view the password, and it is not possible to obtain the flag by editing the credentials and copying the password field. Files stored in Credential Manager are from several locations in Windows:

  • C:\Users\<username>\AppData\Roaming\Microsoft\Credentials
  • C:\Users\<username>\AppData\Roaming\Microsoft\Protect
  • C:\Users\<username>\AppData\Local\Microsoft\Credentials
  • C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentilals
  • C:\Windows\System32\Microsoft\Protect

To inspect the content of these folders, showing protected operating system files needs to be enabled in File Explorer. An inspection shows that there are many system files in these locations that cannot be viewed with a normal text editor. My solution to reading these files was to download Nirsoft’s free CredentialFilesView application and search in each folder.

Image for post
Image for post

The flag is found in C:\Users\ritsec\AppData\Roaming\Microsoft\Credentials in the file AC17DBCB123421147335080AA6E1272E. The flag is RS{g59EtlbMu8sCE1L061uh}.

In Conclusion

Windows is an ancient operating system by today’s standards, with many hidden tools, features, and workarounds often invisible to the end user. If you struggled with the challenges this week, here are some resources to help get you started with some of Windows’ system administration tools. All of these topics will also be addressed in later courses at RIT.

There will be 13 more weeks of challenges coming from RITSEC this semester! If you want to know more about RITSEC check out their website or attend a meeting if you’re on RIT’s campus — 12–2 PM in GOL-2410 for the CTF and 2–4 PM in SLA-2150 for research and presentations. Until next week!

Written by

DFIR, CTFs, disinformation, STEM education, and pretty much anything else that comes to mind. RIT Computing Security ’22. wyatttauber.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store