Image for post
Image for post

RITSEC Spring 2019 CTF — Week 3

The third week of RITSEC’s Spring 2019 CTF has concluded. Although the official challenge write-ups for the semester CTF will be posted on RITSEC’s GitHub for those interested, I have more detailed write-ups here each week for the challenges I am able to solve. I do this because as a freshman, when I read the challenge write-ups they often went step-by-step but never elaborated on why a certain command was run or the strategy the user followed when solving the challenges. This is my effort to elaborate on the reasoning to the process.

I was fortunate to have taken the CCENT exam just a few days prior to when these challenges were released, so that made this week significantly easier for me. I also had more insight on how to correct security vulnerabilities that some of these challenges demonstrated. But that doesn’t mean I didn’t make any mistakes. As always, let me know of any errors!

Topic — Advanced Networking

This week participants were given a Cisco IOSv virtual machine with flags hidden throughout. Cisco IOS, or Internetwork Operating System (not to be confused with iOS, Apple’s mobile operating system) is the OS used on all Cisco routers, switches, and other devices to manage and run configuration information. To obtain the flags, participants were required to know intermediate IOS commands, storage and encryption technologies used by IOS, and how to modify and run TCL scripts.

Easy 1: The show must run on.

show running-config (show run) is one of the most common commands on Cisco IOS. This shows the current configuration and settings that are running on a Cisco device. However, this command doesn’t display enough information to give a flag.

To show more information than what is shown by default in IOS, use the <command> | include <keyword> syntax. In this case, the exact location of the flag is unknown, so run through some common fields in IOS that would have customizable text, such as:

  • show running-config | include enable
  • show running-config | include service
  • show running-config | include banner
  • show running-config | include username

The flag is found by using the command show run | include username. Passwords are allowed to be stored unencrypted in IOS if desired, and can be viewed by any user that can run the show run command. This is also true for other passwords that may not be encrypted, such as virtual terminal interfaces (SSH) or the enable command used to enter privileged mode. To conceal but not necessarily encrypt passwords, use the command enable secret (as we will see soon). To actually encrypt passwords on Cisco IOS the service password-encryption command must be issued in global configuration mode.

Image for post
Image for post
Output of the `show run | include username` command

The flag is RS{R3AL-G00D-P4SS}.

Easy 2: What was Joe’s password, again?

The password of the user joe in the above screenshot is “encrypted” with type 7 encryption. However, type 7 encryption on Cisco IOS is the Vigenere cipher, which is not actually encryption at all. Below is an outline of the common types of encryption on Cisco IOS (may vary by device):

  • 0 — an unencrypted password
  • 4 — a SHA256 encrypted secret
  • 5 — an MD5 encrypted secret
  • 7 — a Vigenere encrypted secret
  • 8 — a PBKDF2 hashed secret
  • 9 — a Scrypt hashed secret

Type 7 encryption on Cisco IOS can be cracked easily. For example, this website reveals the password of the user joe. Access to any devices that use this encryption method should be closely monitored (both physically and on the network) because any way to view the running configuration on these devices will expose login credentials.

Image for post
Image for post
Cracking type 7 password encryption used on Cisco IOS

The flag is RS{S3V3N-1S-B3ST}.

Medium 1: It’s not in NVRAM, I’ll tell you that much.

There are three locations to store information on Cisco devices:

  • RAM (Random Access Memory, or running-config)— this holds the Cisco IOS as it is running currently and is volatile, meaning that changes made to RAM are not preserved.

Side note: As Cisco devices are intended to function for very long periods of time without being powered off, this is perfectly logical. Changes made to RAM will be discarded after a reboot unless the command copy running-config startup-config is issued. This command copies the current configuration into NVRAM, which will be discussed next. If this command is not run, all changes made to the IOS since the last time the command was issued will be lost, a common mistake in the network industry.

  • NVRAM (Non-Volatile RAM, or startup-config) — this stores the startup configuration of the device. The running configuration is written here using the command copy running-config startup-config. The router essentially performs the exact opposite command during power on, when it copies the startup configuration text file from NVRAM into RAM (copy startup-config running-config). Changes made to any configuration here are preserved, hence the term non-volatile.
  • Flash (flash memory)— this is where everything else is stored, such as vlans.dat (the VLAN configuration file), the IOS image for the device, and any custom files or folders. As the name implies, flash memory is non-volatile.

The flash seems like a good location to keep a flag, since the hint already specifies it is not in NVRAM, and therefore not likely to be in RAM. To view files in the flash, use the command dir, for "directory".

Image for post
Image for post
Results of the “show flash” command

flag2.txt seems to be the flag. Linux commands such as cat can be used on IOS. To enable this command to view the flag, enter term shell. Then, view the flag by entering cat flag2.txt.

Image for post
Image for post
Results of the “cat flag2.txt” command

The flag is RS{FIL3S-4RE-H4RD}.

Medium 2: Write Cisco Access Control Lists (ACLs) (signoff)
Instructions: Write a Cisco ACL that permits HTTP, DNS, HTTPS, SSH, IRC, and SMTP out to the Internet, and one that permits responses from all requests and HTTP requests in from the internet.

An Access Control List (ACL) is a type of list on a Cisco device that can be applied to an interface, or port on the device. ACLs can be applied to the interface in two modes: process traffic coming in to the device, or process traffic exiting the device. An ACL permits or denies specific types of network traffic based on where and in what mode it is applied.

ACLs process from first-to-last, so it’s generally a good idea to create ACLs that start with the most specific rules first, and generally grow more broad. Any type of traffic not specified in the ACL is implicitly denied. Also, it’s always best to place ACLs on interfaces (ports) of the device you are configuring that is as close to the device you want to protect as possible.

Cisco has two types of ACLs:

  • Standard ACLs filter only on the source address of the traffic.
  • Extended ACLs filter on source or destination address, protocol number, or port number of the traffic.

This task will require writing an extended ACL. The basic syntax for an extended ACL to meet the requirements for this challenge is:

<permit/deny> <tcp/udp> <internal ip and wildcard/“any”> <external ip and wildcard/“any”> | eq <port> | established

<port> allows specifying a port number for a service. Searching for the port numbers of the services needed for this challenge will be sufficient. The IOS knows a limited number of services by name, such as DNS (UDP 53, ‘domain’) and HTTP (TCP 80, ‘www’). established means allow connections that have completed the TCP three-way handshake and have an ACK in their TCP header. ACLs also need to be applied to filter either inside or outside traffic through the syntax:

interface <interface>
ip access-group <alc name or number> <in/out>

The ACLs that satisfy this challenge are below, applied to the proper sides of the interface.

access-list medium2-out
permit tcp any eq www
permit udp any eq domain
permit tcp any eq 443
permit tcp any eq 22
permit tcp any eq 6667
permit tcp any eq smtp
access-list medium2-in
permit udp any eq domain established
permit tcp any eq 443 established
permit tcp any eq 22 established
permit tcp any eq 6667 established
permit tcp any eq smtp established
permit tcp any eq www
interface GigabitEthernet0/0
ip address dhcp
ip access-group medium2-out out
ip access-group medium2-in in

The flag received for completing this challenge is RS{APPLE-COMPUTERS-LLC}.

Hard 1: tpircs lct
Note: Flag will have RC3{} around it. This should be changed to RS{}.

Look around in the file system a bit more. A flag3.tcl file is in the private directory. TCL (Tool Command Language, or “tickle”) scripts are a common way to automate tasks on Cisco IOS devices.

Image for post
Image for post
Output of the ‘cd private’ and ‘dir’ commands

Run the script to see what it does. Use the tclsh flag3.tcl command.

Image for post
Image for post
Results of the `tclsh flag3.tcl` command with inputs `wyatt` and `RS{`

Since the task to get the flag is not clear, extract the TCL script from the virtual machine by mounting the VMware virtual disk file (.vmdk) to the host PC. This will allow for easier inspection and modification of the script than it would directly on IOS.

Image for post
Image for post
Mounting the virtual disk to the host PC
Image for post
Image for post
Opening the flag3.tcl file

Upon copying the file to a writable directory on the host PC, open the script to inspect it. It appears the script is designed to output the flag given the correct input, which is unknown, and unfortunately the flag is not hard-coded into the script in a decipherable way. However, if the script is designed to output the flag, search for puts, which is the command to write output to the terminal screen, to see all points where the program writes. There are only three occurrences, once at the top for the name prompt, which isn’t useful, and two at the bottom, which are interesting.

Image for post
Image for post
Lines 55–63 of the flag3.tcl script

There is a string comparison on line 58 that checks if the flag is input. Could this be modified to output the flag instead of “try again”?

Change line 61 from

puts "try again"


puts [concat $begin[lindex [xsplit2 [lindex $str 0]] 1][lindex [xsplit2 [lindex $str 6]] 0][lindex $str 2][lindex $str 8]$printable]

which is most likely the flag. Run the script in an online TCL emulator to see the results. The output is

Image for post
Image for post
Output of the script running in an emulator

The flag is RS{tcl-0.2}.

In Conclusion

Cisco is the most popular networking vendor in the world, and IOS is one of their most powerful software products. As such, professionals in this operating system are always in demand. RIT CSEC students will learn the basics of IOS in Intro to Routing and Switching (NSSA-241) and can also take Advanced Routing and Switching (NSSA-441) as an elective. There are also industry certifications such as the CCENT and CCNA Routing and Switching that can build familiarity with IOS.

There will be 12 more weeks of challenges coming from RITSEC this semester! If you want to know more about RITSEC check out their website or attend a meeting if you’re on RIT’s campus — 12–4 PM in GOL-1400 for the CTF and presentations. Until next week!

Written by

DFIR, CTFs, disinformation, STEM education, and pretty much anything else that comes to mind. RIT Computing Security ’22.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store