Sunday, May 24, 2015

HUST Festival - Network 300 Challenge

HUST festival was this weekend and we participated although many parts of the festival were Korean language, they made a great effort to put English clues in for all the challenges.

This challenge was one of the earliest available so we tackled it first. It was pretty much just a PCAP file with instructions to connect to an IP address on port 22.

We downloaded the file, unzipped it and found the PCAP to be pretty large in size:

root@mankrik:~/hust/net300# unzip 
  inflating: league_of_access.pcap   
root@mankrik:~/hust/net300# file league_of_access.pcap 
league_of_access.pcap: pcap-ng capture file - version 1.0
root@mankrik:~/hust/net300# ls -lah league_of_access.pcap 
-rw-r--r-- 1 root root 9.1M May 22 15:09 league_of_access.pcap

Whenever I have a bigger PCAP I use a Windows program called Network Miner to get a graphical overview of different attributes of the traffic in the PCAP. Network Miner needs a PCAP file (i.e. not a PCAP-NG file) so I used Wireshark to "Save As" a PCAP file before importing it into Network miner.

In Network Miner, I used the Session window to sort the connections found in the PCAP by different attributes. I sorted by "Server Port" column to notice that the user conducted a port scan against the target server

I then checked the SSH connections and noted the timestamps of the connections. I noted that the final SSH connection attempts happened some minutes after the port scan completed.

I then examined some of the other tabs in Network miner. In the Parameters window I noticed quite a few Referrer entries from a Russian blog post about "port knocking":

I also found some more "port knocking" hints in the DNS tab:

Lastly, there was a couple of other things I noted in the images tab, a few items mentioning "hidden files":

Ok so now I feel it's time to switch over to Wireshark because I have a good idea of the method of attack here:

  1. Port knocking, to open an SSH port
  2. Hidden files on the host

In Wireshark I setup a filter to just examine traffic to/from this host in question:

  • "ip.src == or ip.dst =="

Next, I scrolled down to the Frame #'s shown during the Network Miner investigation to see if the user was able to successfully get that SSH fired up.

First I double checked that the user was still getting failed SSH connections, and at Frame # 10905 & 10932 I see a failed connection attempt.

Then later, at frame 10967 & 10968 a successful connection is found:

So what changed between 10905 and 10967? Well we're thinking port knocking so let's see if we can see a weird bunch of connection attempts before this and see the following:

At this point im not 100% sure which of these are port knocking and which is just coincidental traffic. So I decided to try all of it. I came with the following command line:

root@mankrik:~/hust/net300# nmap -sS -p T:80,4523,2351,2351,4523,443; ping -c 1 -t 1; icmpush -tstamp -seq 0 -id 13970 -to 1; ssh you@

Which actually worked first go. So either I got right or I got lucky.

Anyway, once on the server getting the flag was pretty simple. Using the clue of "hidden" files I expected there to be a file beginning with "." and sure enough there was:

-bash-4.1$ find
-bash-4.1$ id
uid=500 gid=500(you) groups=500(you)
-bash-4.1$ cat .bashc

+++++++|                 |++++++++
+++++++| Hari60_iz_B3s+! |++++++++
+++++++|                 |++++++++
-bash-4.1$ exit

1 comment:

  1. Your article very helpful for me about the DEFCON Conference which i was searching but your blog providing me allot of information thank you.

    DEFCON Conference