13
Oct
2013

ebCTF: NET100 “index.php?-s”

OMG, Eindbazen got hacked. Can you figure out what this evil hacker did?

This was an easy challenge, and pretty straight forward what to do. It was meant to be solved by a lot of teams, and they did, 145 teams managed to solve it. There are a lot of write-ups for this challenge, so I will explain in short what was the intended solution.

This challenge existed of a pcap file which contains the key somehow. Following the streams in this PCAP file shows us what the attacker did:

  • exploit a webserver using the Eindbazen ?-s php bug
  • starting a meterpreter session
  • inserts a public key in the .ssh/authorized_keys file
  • use SSH to connect to the machine
  • download a file rootkit.zip

Besides this traffic, we also see a UDP Session which contains something like keylog information. If we extract the rootkit.zip from the pcap (using Wireshark, or even easier open the pcap file with 7zip) we see that this file contains a flag.txt which is password protected.

The password can be found in the UDP stream. Follow the stream in wireshark and search for rootkit (or unzip), and you will see the password back in the stream: alongpassword1234

Extract the rootkit.zip and get the flag:

Instead of a rootkit we will just give you a flag: ebCTF{b78dc61ce895a3856f3520e41c07b1be}

There are a lot of writeups using this solution, but one writeup used another solution, which was not intended, but makes use of the Debian SSH PRNG bug. The victim system was based on Ubunu 7.10 which contains this bug. The choice for Ubuntu 7.10 was because we needed a system vulnerable for the PHP ?-s bug and where we could compile Sebek on (Sebek was used for the key logging). Kudo’s for this solve.

Source can be found on: https://github.com/asby/ebctf

Comments are closed.