The fourth week of RITSEC’s (now transitioning to a 1-based numbering scheme because 0-based was confusing) CTF has concluded. Although the official presentation and challenge write-ups for the semester CTF will be posted on ritsec.club for those interested*, I have more detailed write-ups here each week for the challenges I am able to solve. I do this because as a freshman, when I read the challenge write-ups they often went step-by-step but never elaborated on why a certain command was run or the strategy the user followed when solving the challenges. This is my effort to elaborate on the reasoning to the process. As always, let me know of any errors.
*The club hasn’t posted any write-ups for any weeks yet. However, talk to the Tech Lead and he will personally explain the challenge solutions to you after flag submissions have closed.
This week explores use and management of services, such as databases, email applications, and remote login/file access. Points are earned in a CentOS virtual machine for showing proficiency in the commands to administer a variety of different services. The login for the virtual machine is “ritsec”/“ritsec” and root access will need to be gained to complete certain challenges.
Easy 1 — Webscale is the best type of database!
A “webscale” database simply means a large-scale database. Examples of this type of database are MongoDB or Microsoft SQL Server. Check to see if MongoDB is installed by running the program’s start command,
MongoDB will start up and display a prompt. For brevity, screenshots of the next several steps are not shown as they are self-explanatory. Syntax and references for MongoDB commands can be found at the MongoDB manual.
Check to see if there are any interesting databases by running the
show databases; command. There are 4 databases currently available, and
ritsec seems to be the most likely database to contain a flag. Enter
use ritsec; at the prompt to use the
ritsec database, and then
show tables; to show the tables (rows and columns that store data) in the
ritsec database. The only table available,
secret_data, seems promising. To view the contents of a table, use the command
db.secret_data.find(), which will view the data in the table.
The flag is plainly visible,
Easy 2 — Something is up with the website, can you find where the website content is?
A very common way to run a website is to use the Apache web server. Therefore, the Apache configuration file would have the location of the website content. On CentOS, the Apache configuration file
httpd.conf is at
/etc/httpd/conf. By examining the file, it is seen that the document root (the directory where all website pages are served from) is set to
View the contents of the directory.
The flag is
Medium 1 — Hint is in /home/ritsec/helpme.txt.
The hint file for this challenge is formatted in an interesting way — as an email message. This challenge will involve sending and receiving email through the terminal.
The hint isn’t as much about the message as it is about the medium. No email addresses are currently known, but two email addresses are provided in the message header,
localhost in this case means using
telnet as there is no login method provided for ssh. Access the mail server by running the command
telnet localhost 25 in a terminal.
This is Postfix, an open-source mail agent. Sending mail through the terminal with Postfix is quite different than other mail platforms, as it recognizes only a very specific set of commands. Guides to sending mail through Postfix can be found online.
To send an email to the first address of interest,
no-reply@localhost, issue these commands:
MAIL FROM:<ritsec@localhost>— This is the address we can receive replies at, if necessary. (The server should respond back with
250 2.1.0 OKeach time, which indicates success.)
RCPT TO:<no-reply@localhost>— This is the recipient’s address, but something unexpected has happened…
The second command has been rejected by the mail server as this address does not accept replies. However, part of the message has an interesting error that resembles a string of hexadecimal characters. Removing the
\x prior to each character gives:
52 53 7b 69 5f 6c 30 76 65 5f 6d 40 69 6c 7d
Converting from hexadecimal to plain text gives the flag,
Medium 2 — Login as root! Pretty sure I left the key somewhere… (flag will be contents of flag.txt in root’s home directory).
The hint mentions a “key” when referring to logging in as the
root user. A common substitute for a password login is to configure
ssh to allow logins with an RSA key pair, which may have been done with the
root account. Public and private RSA keys always begin with the text
BEGIN RSA, so start by using
grep to search for any files with that phrase.
There is a private key stored at the location
~/Downloads/secret/keys/. Change to the directory and try to use the private key to login with
-i flag specifies a private key to use when connecting.
The login was successful. Open the flag file specified in the hint.
The flag is
Hard 1 — Franklin Thomas Potter wants to give you a package.
A sign-off by the tech lead is required for this challenge.
The initials for “Franklin Thomas Potter” are FTP, which also stands for File Transfer Protocol. Start
FTP is not installed. Are there any services that may rely on FTP? Service binary files are stored in
/bin (which stands for “binary”). Change to the directory and
grep for anything that contains
ftp in this folder. One of the results is interesting:
realservice really a real service? Typically, binary files are unreadable when opened, but try opening it anyway.
There are a few important details to note about this file. The readable portion of the file contains
.py and several Python commands, indicating this is probably a Python script. Python scripts saved as complied source (typically with the
.pyc extension, although this is not necessary) appear as binary files and are hard to read until decompiled back into readable
.py files with tools such as
uncompyle2 (There are different versions of
uncompyle depending on the version of Python. Python 2 is installed on this VM). Although not required to complete the challenge, if the function of this file is not obvious, use the
root account through
ssh as discovered earlier to install
uncompyle2 or another tool and convert the file to a readable
The instructions are to place the file
answer.txt on the local FTP server by running the script to log in with the user
secret and password
donttellanyone and make the file. First, check
top to see that this script is already running under the permissions of the root user.
As soon as the script is able to complete its task, it will exit automatically. However, it is currently trying to connect to a local FTP server that does not exist, which it will continue to retry until it connects successfully. These next steps will allow the script to complete and create the data we need to send to the RITSEC technical lead to earn points for the challenge.
Install an FTP client and server. This example will install VSFTP (Very Secure File Transfer Protocol) as the server and the standard FTP client. To install and start these tools, run the following as
yum install vsftpd ftp
/sbin/service vsftpd start
Next, create the user
secret that the script is trying to login as.
Set the password for the
Notice that after the password is set, the Python service is no longer running.
Change directories to the
secret user’s home folder either through the
root account or by using
ftp and providing
secret's login information. Display the contents of the directory.
View the file. If viewing the file using ftp, append a
! to the start of the line to tell
ftp to interpret
cat as a Linux command and not as a
Copy the transcript of the commands and their results for this challenge and submit them to RITSEC’s technical lead to get credit for completing the challenge.
Bonus — Vim says “yo”.
I noticed while completing the challenges that the Vim clipboard in the challenge VM already contains history under the
root account. Open any file with
vim and use the command
Shift + p to paste.
This has nothing to do with any of the challenges and is not worth any points (as far as I can tell), but it is funny.
This week’s challenges had a lot to do with knowing how to use the right tools to find and recognize obscure data patterns and formats. In addition, any security-themed CTF will expect participants to occasionally perform actions that typically wouldn’t result in any interesting or unpredictable operation (because that’s how vulnerabilities are discovered!).
There are numerous great resources available online for these sort of challenges, such as guides to grep, how to identify files without extensions, and scripts that will search for configuration or security mistakes. Upper level CSEC- and CS- classes also cover some of these topics as part of their curriculum.
There will be 11 more weeks of challenges coming from RITSEC this semester! If you want to know more about RITSEC check out their website or attend a meeting if you’re on RIT’s campus — 12–4 PM in GOL-2410 for the CTF and presentations. Until next week!