This week is going to be a little special. If you were not aware, Google held a CTF (Capture The Flag) event this weekend. Having competed in two CTF events in the past (PicoCTF), I figured that it would be a good use of time trying out Google’s. I joined a team of some of the security engineers from where I work and we got ready for the competition when it started last Friday.
To put it plainly, we got our asses kicked.
Out of the thousands of teams who participated, only 116 teams (as of writing) completed the second easiest task: “Joe”. This was one tough cookie. After my team and I tried valiantly to get more points, we ended up calling it quits. With our heads hung low we picked up Wendy’s, watched John Wick 2, and ended up doing two machines from Pentesterlab.com.
So, without further ado, I’ll introduce the material that we’ll be covering:
- The one challenge (Mind Reader) our team was able to complete in Google’s CTF
- TCPeek — A utility I started writing to learn more about Scapy, NetfilterQueue, and packet manipulation.
- The SQLi to Shell Pentester lab VM
- The PHP Include and Post Exploitation Pentester lab VM.
Mind Reader
The first thing you get when you look at mind reader is this page:
All we have is a text box. Let’s try reading “your mind”.
If you look in the URL, we have the string we entered in. The f parameter sounds like that’s supposed to represent a file. Let’s try index.html to see if it just resolved to the page.
Nice! So this is a file. We can be reasonably sure that this is running Linux as we can see nginx in the response headers. Let’s try a file that everyone should have read access to… like /etc/passwd (From Week 2).
Awesome! Look at all these accounts. Looking through them I don’t really find any accounts that we might be able to SSH into. I guess that’s not the point of this exercise. I wonder where that file is… I know that if I could execute commands here then perhaps I would be able to use locate [file] and start guessing stuff like flag.txt or mind.txt and the like. After some researching, locate keeps a database of all the entries in some key locations. I ended up trying a few and got no results. I’m guessing updatedb was never executed.
Well, I’m still not sure what the server stack is for this application and that might be helpful. I’m going to look at the command line entry for the current process to see if it can tell me.
This is interesting. It’s forbidden, not Not Found. I tried some other paths and they all were forbidden. In fact… even fictitious paths were forbidden as long as the word “proc” was in them. So whatever we need, we’ll find it there I assume. This is not Linux permissions blocking us, this is the service itself through some sort of regex.
What do you do if the front door is closed? Try the back! We need to find some alternative way into /proc/ without using “proc”. We can try symbolic links. find has a nice flag you can use to find symbolic links called -lname. Let’s use it on a reference Linux machine so we can see if we can find a symbolic link to something in /proc/.
Well that spit out a lot of errors. Let’s correct our command to find / -lname '/proc/*' 2>/dev/null.
This will take all of the stderr output and throw it into /dev/null (essentially a data trashcan). This way, we won’t see it on the console.
Well there are a lot of choices here. We can’t use anything with proc in it so let’s try /dev/fd and see where that takes us.
Right into /proc/self/fd ! Nice! Let’s check the environment variables of this process with a relative path ( /dev/fd/../environ ).
There it is! We ended up completing Joe after the CTF was over but I won’t be going over it as I did not complete it in time. GG, Joe.
Anyway, lots of stuff to cover. Next!
TCPeek
If you remember from Week 4, I covered Arpspoofing and Wireshark. I was going to also show dnsspoof and arpspoof but with time constraints I didn’t end up doing that. One burning question when I was playing with dnsspoof is “How could I actually write a program to intercept the packets on the wire and manipulate them before they get forwarded to their destination?”.
I had no idea.
I ended up doing hours of research into open source projects and eventually found some examples of a library called NetfilterQueue and another called Scapy. I ended up writing a tool with these two libraries. It’s not very good and has some issues still but it “works” for the most part and is demoable.
To make up for it I wrote my own tool that allows me to manipulate packets on the wire.
I stop and show at multiple points that despite me typing in the user 123456789101112 it replaces it with anonymous for FTP login. If you monitor wireshark you’ll see that there are still some issues with it. I have some ideas on how to improve the Scapy manipulation code but for now, I’m just happy I have a better understanding of how a tool like this might work.
The source is very sloppy. I might come back and make this a usable tool but for now, I am just happy it “works”.
Side note: If you have problems connecting to the internet after using TCPeek, just manually execute iptables -F OUTPUT. If you don’t use a keyboard interrupt to close TCPeek, it won’t properly release the OUTPUT chain.
SQLi to Shell
So after we were crushed by Google’s CTF, we did some Pentester Lab VMs. They have really awesome guides to follow if you want to learn how to pwn the boxes. For this first machine I followed the guide to see what doing that would be like. I did the second machine without assistance.
Here’s a video of how I would go about getting shell on this machine. I’ll stumble around a little but that’s because I’m trying to figure it out (again) instead of following a guide.
PHP Inclusion to Post Exploitation
Also really fun! I originally did this without a guide. For the video, I was going to show off Nikto from Week 3 but I accidentally “discovered” the vulnerability and I felt it would be a bit of a waste of time to just use Nikto anyway.
Closing Remarks
- Google’s CTF was HARD this year
- I want to do more CTFs. I think I’ll make them a more regular part of my writing (once a month at most).
- Pretty exhausted from working on TCPeek (Lots of issues; that could be a series on its own!)
- Ready to get back to the book. I’ll do another lab for next week too; These are fun. I’ll record myself doing one without looking at the course material; it’ll be a long video…
See ya next week!
