Image for post
Image for post

RITSEC Fall 2018 CTF — Week 3/4

The fourth week of RITSEC’s (now transitioning to a 1-based numbering scheme because 0-based was confusing) CTF has concluded. Although the official presentation and challenge write-ups for the semester CTF will be posted on ritsec.club for those interested*, I have more detailed write-ups here each week for the challenges I am able to solve. I do this because as a freshman, when I read the challenge write-ups they often went step-by-step but never elaborated on why a certain command was run or the strategy the user followed when solving the challenges. This is my effort to elaborate on the reasoning to the process. As always, let me know of any errors.

*The club hasn’t posted any write-ups for any weeks yet. However, talk to the Tech Lead and he will personally explain the challenge solutions to you after flag submissions have closed.

Topic

This week explores use and management of services, such as databases, email applications, and remote login/file access. Points are earned in a CentOS virtual machine for showing proficiency in the commands to administer a variety of different services. The login for the virtual machine is “ritsec”/“ritsec” and root access will need to be gained to complete certain challenges.

Easy 1 — Webscale is the best type of database!

A “webscale” database simply means a large-scale database. Examples of this type of database are MongoDB or Microsoft SQL Server. Check to see if MongoDB is installed by running the program’s start command, mongo.

Image for post
Image for post

MongoDB will start up and display a prompt. For brevity, screenshots of the next several steps are not shown as they are self-explanatory. Syntax and references for MongoDB commands can be found at the MongoDB manual.

Check to see if there are any interesting databases by running the show databases; command. There are 4 databases currently available, and ritsec seems to be the most likely database to contain a flag. Enter use ritsec; at the prompt to use the ritsec database, and then show tables; to show the tables (rows and columns that store data) in the ritsec database. The only table available, secret_data, seems promising. To view the contents of a table, use the command db.secret_data.find(), which will view the data in the table.

Image for post
Image for post

The flag is plainly visible, RS{w0w_such_w3bsc4le}.

Easy 2 — Something is up with the website, can you find where the website content is?

A very common way to run a website is to use the Apache web server. Therefore, the Apache configuration file would have the location of the website content. On CentOS, the Apache configuration file httpd.conf is at /etc/httpd/conf. By examining the file, it is seen that the document root (the directory where all website pages are served from) is set to /var/opt.

Image for post
Image for post

View the contents of the directory.

Image for post
Image for post

The flag is RS{n0t_v4r_dubdubdub?}.

Medium 1 — Hint is in /home/ritsec/helpme.txt.

The hint file for this challenge is formatted in an interesting way — as an email message. This challenge will involve sending and receiving email through the terminal.

Image for post
Image for post

The hint isn’t as much about the message as it is about the medium. No email addresses are currently known, but two email addresses are provided in the message header, no-reply@localhost and root@localhost. “Hitting” localhost in this case means using telnet as there is no login method provided for ssh. Access the mail server by running the command telnet localhost 25 in a terminal.

Image for post
Image for post

This is Postfix, an open-source mail agent. Sending mail through the terminal with Postfix is quite different than other mail platforms, as it recognizes only a very specific set of commands. Guides to sending mail through Postfix can be found online.

To send an email to the first address of interest, no-reply@localhost, issue these commands:

  • MAIL FROM:<ritsec@localhost> — This is the address we can receive replies at, if necessary. (The server should respond back with 250 2.1.0 OK each time, which indicates success.)
  • RCPT TO:<no-reply@localhost> — This is the recipient’s address, but something unexpected has happened…
Image for post
Image for post

The second command has been rejected by the mail server as this address does not accept replies. However, part of the message has an interesting error that resembles a string of hexadecimal characters. Removing the \x prior to each character gives:

52 53 7b 69 5f 6c 30 76 65 5f 6d 40 69 6c 7d

Converting from hexadecimal to plain text gives the flag, RS{i_l0ve_m@il}.

Medium 2 — Login as root! Pretty sure I left the key somewhere… (flag will be contents of flag.txt in root’s home directory).

The hint mentions a “key” when referring to logging in as the root user. A common substitute for a password login is to configure ssh to allow logins with an RSA key pair, which may have been done with the root account. Public and private RSA keys always begin with the text BEGIN RSA, so start by using grep to search for any files with that phrase.

Image for post
Image for post

There is a private key stored at the location ~/Downloads/secret/keys/. Change to the directory and try to use the private key to login with ssh as root. The -i flag specifies a private key to use when connecting.

Image for post
Image for post

The login was successful. Open the flag file specified in the hint.

Image for post
Image for post

The flag is RS{k3ys_are_w3ird}.

Hard 1 — Franklin Thomas Potter wants to give you a package.
A sign-off by the tech lead is required for this challenge.

The initials for “Franklin Thomas Potter” are FTP, which also stands for File Transfer Protocol. Start ftp.

Image for post
Image for post

FTP is not installed. Are there any services that may rely on FTP? Service binary files are stored in /bin (which stands for “binary”). Change to the directory and grep for anything that contains ftp in this folder. One of the results is interesting:

Image for post
Image for post

Is realservice really a real service? Typically, binary files are unreadable when opened, but try opening it anyway.

Image for post
Image for post

There are a few important details to note about this file. The readable portion of the file contains .py and several Python commands, indicating this is probably a Python script. Python scripts saved as complied source (typically with the .pyc extension, although this is not necessary) appear as binary files and are hard to read until decompiled back into readable .py files with tools such as uncompyle2 (There are different versions of uncompyle depending on the version of Python. Python 2 is installed on this VM). Although not required to complete the challenge, if the function of this file is not obvious, use the root account through ssh as discovered earlier to install uncompyle2 or another tool and convert the file to a readable .py file.

Image for post
Image for post

The instructions are to place the file answer.txt on the local FTP server by running the script to log in with the user secret and password donttellanyone and make the file. First, check top to see that this script is already running under the permissions of the root user.

Image for post
Image for post

As soon as the script is able to complete its task, it will exit automatically. However, it is currently trying to connect to a local FTP server that does not exist, which it will continue to retry until it connects successfully. These next steps will allow the script to complete and create the data we need to send to the RITSEC technical lead to earn points for the challenge.

Install an FTP client and server. This example will install VSFTP (Very Secure File Transfer Protocol) as the server and the standard FTP client. To install and start these tools, run the following as root:

yum install vsftpd ftp
/sbin/service vsftpd start

Next, create the user secret that the script is trying to login as.

useradd secret
passwd secret

Set the password for the secret user.

Image for post
Image for post

Notice that after the password is set, the Python service is no longer running.

Image for post
Image for post

Change directories to the secret user’s home folder either through the root account or by using ftp and providing secret's login information. Display the contents of the directory.

Image for post
Image for post

View the file. If viewing the file using ftp, append a ! to the start of the line to tell ftp to interpret cat as a Linux command and not as a ftp command.

Image for post
Image for post

Copy the transcript of the commands and their results for this challenge and submit them to RITSEC’s technical lead to get credit for completing the challenge.

Bonus — Vim says “yo”.

I noticed while completing the challenges that the Vim clipboard in the challenge VM already contains history under the root account. Open any file with vim and use the command Shift + p to paste.

Image for post
Image for post

This has nothing to do with any of the challenges and is not worth any points (as far as I can tell), but it is funny.

In conclusion

This week’s challenges had a lot to do with knowing how to use the right tools to find and recognize obscure data patterns and formats. In addition, any security-themed CTF will expect participants to occasionally perform actions that typically wouldn’t result in any interesting or unpredictable operation (because that’s how vulnerabilities are discovered!).

There are numerous great resources available online for these sort of challenges, such as guides to grep, how to identify files without extensions, and scripts that will search for configuration or security mistakes. Upper level CSEC- and CS- classes also cover some of these topics as part of their curriculum.

There will be 11 more weeks of challenges coming from RITSEC this semester! If you want to know more about RITSEC check out their website or attend a meeting if you’re on RIT’s campus — 12–4 PM in GOL-2410 for the CTF and presentations. Until next week!

Written by

DFIR, CTFs, disinformation, STEM education, and pretty much anything else that comes to mind. RIT Computing Security ’22. wyatttauber.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store