Image from http://www.louisvilleinfosec.com

On October 8th, I attended the 7th Annual Louisville InfoSec Conference @ Churchill Downs in Louisville, KY. During the conference I participated in the 1st annual capture-the-flag event put on by IronGeek (Adrian Crenshaw). I ended up coming in 2nd place, and I had a great time with it.

Let me first say that IronGeek did a great job to put on a creative, reliable, and challenge CTF. The 1st place finisher was a team of four from SecureState out of Cleveland, OH lead by Dave Kennedy. Dave and one other of his teammates are lead developers for the BackTrack project, and Dave developed Fast Track as well. Needless to say this team was very talented, and deserved every bit of the 1st place spot. I had the opportunity to speak with Adrian and Dave after the event for a while, and they are both very knowledgeable and friendly guys.

I just wanted to briefly outline the CTF event and what steps I took to complete it:

1. The first flag was to find and associate with a hidden SSID. Luckily, there was a client associating with the hidden SSID when I started my monitoring with Kismet. It quickly revealed the SSID which I attached to.
2. The second flag was to locate a windows box with the hostname of WinCTF and list 5 open ports. I found the box using Nmap v.5.00. Even using just the -sP flag, it will still display the hostname if it can find it. I used the -sT since I wanted speed and was not concerned with stealth as well as -A to discover service and OS versions. Also, I only scanned the 1st 100 IP address to shorten the time it took because I noticed the DHCP address I received was in the 101-254 range.
3. The third flag was to locate an x86 Linux box and list 2 open ports. I did this the same way I found the Windows box.
4. The fourth flag was to find the intranet web server and what type and version of webserver it was running. This was once again done with Nmap, using the -A flag to discover the type of web server as well as version.
5. The fifth flag was to discover the Administrator password the WinCTF box. One of the ports open on that box was 445 which was vulnerable to MS08-067. I used Metasploit to drop the meterpreter payload on it. Then I used the hashdump function of meterpreter to retrieve the LM hashes of the user accounts. Crackers such as John and Cain could do the trick in time, but for speed’s sake, I submitted the lm hashes to www.plain-text.info which has a large database of cracked hashes. Luckily for me two of the three user account passwords were found this way…including the Administrator password!
6. The sixth flag was to find the Root password of the x86 Linux box. The box itself had no vulnerable services run, at least that I knew of, so I began to try the two account credentials I had discovered on the Windows box. As it turned out, both boxes used the same credentials. And so, the Root password was the same as the Administrator password. Also, the other user, “greg,” could SSH into the linux box and had sudo privileges. This was another route to root.
7. The seventh flag was to find and copy off a TrueCrypt volume to our local machine. I used locate to find the .tc file on the linux box. Since the intranet web site was running from this box, I copied the .tc file to webroot of the server and downloaded it through my browser. Many other was to get the file were possible, but this was the fastest that I could think of.
8. The eighth flag was to find the password to the .tc file. This was where things got interesting. TrueCrypt volumes if used correctly use a very strong encryption method. I didn’t feel that trying to bruteforce the file would be successful, and so, I began to look for a different way. I tried the two passwords I had discovered thus far, but neither worked. I browsed to the intranet web site, and there I found a SQL injection vulnerability that allowed me to log into site by bypassing the login mechanism. From here I realized that a backend database existed for this site, so I ssh’ed back into the linux box viewed the source code for the website which contained the database login credentials, and was able to login to the database using mysql client. In here I discovered the login credentials for three users: admin, john, and greg. I tried each of these passwords against the .tc file, but none of them worked. I continued to look through the table data in the MySQL database until I found a sort of notes board for each user. It was here that the user “john” placed his password for the .tc file so he would remember it. I used that password and was able to mount the TrueCrypt volume and continue on.
9. The ninth flag was to find the username/password for a non-x86 based linux box. The only other device I could find in my scanning was an IP webcam…this had to be it. It was running a webserver, so I browsed to it, but it seemed secure. Also, the services FTP and HTTP were not vulnerable to any known exploits. It was here that many of the other competitors, as well as myself, got stuck. Finally, a hint was given as to the communication between the IP webcam and the linux server. This gave me the idea to use ettercap to man-in-the-middle the connection and see if the credentials were sent in plain text. The webserver used basic authentication when communicating with the ip camera. I used an online base64 decoder to discover the login to the IP camera’s webserver.
10. The tenth flag was to find the password to a protected 7zip archive which was located in the TrueCrypt volume. I began by trying to use rarcrack to bruteforce the password, but at 6 passwords a second, it was going to take a while. However in the data from the intranet website’s notes board the user, greg, said he kept his password on a post-it note on his monitor. I went back to the IP webcam, rotated the camera some, and sure enough, there was the sticky note with the password on it taped to the monitor.
11. The eleventh and final flag was simply to open the 7zip file with the password found by the webcam and open a .csv file which contained some very confidential information. What a great event!