# ENOWARS Information ## General info [Team IPs](https://pastebin.com/raw/SEPS13Fm) Our vulnbox: `10.1.66.1`. Your SSH public key should already be there so you can ssh in as root. If not, join the [Organizers GitHub org](https://github.com/0rganizers) and ping `gallileo#5466`. Flag format: `ENO[A-Za-z0-9+/=]{48}` ## Moloch (tcpdumping) access via: `ssh -L 8005:localhost:8005 root@49.12.72.122` Then just connect http://localhost:8005 user:`moloch` password: `gofmyr-4qipKe-coqwev` ## Services ### activititracker (4242) /services/activitytracker/docker-compose.yml some webserver/blog thingy written in rust ### medchat (8010, 8011) /services/medchat/docker-compose.yml Probably backend in PHP. ### 3xam (8220, 8221) /services/3xam/docker-compose.yml The frontend communicate with the backend with websockets. The packets sent over the websockets are encrypted. The encryption is done in webassembly. Looks like there is a custom ORM. There are also unit test included in the backend-internal folder `app/orm/model.py` looks like SQL injection --> sql queries with "%s".format(stuff) Flags are the usernames, we can get them trhough the scoreboard probably Log of the checker putting the flag: ```INSERT INTO users (`user_type_id`, `name`, `pubkey`) VALUES (2, ENOAQAAAAAAAABCAAAADgAAAKtAV+Z3GdB4vzbk/l2G3u9/VLEb, O4oeDJB2deX/qA6JJk7EzViHA/cwULW6ODB/yd/dtWA=)``` Flags in 3 places: - in user table (name field) - in answers table - in the logger ### shatranj (8080, 8081, 49153), Owner: dex Server with front and backend, where backend is in java with gradle as build system frontend in react Probably is a chess multiplayer game. flags are winners of past games Can be accessed through GET /api/pastgames /services/shatranj/docker-compose.yml ### orcano (53273), Owner : aylmao Crypto stuff (only requirement pycryptodome and otp references) /services/orcano/docker-compose.yml Two files : - A python file - A dolphin file (allegedly) MP me for the files on Discord - Command line interface for the clients - Running asynchronously Saving a lot of files in the _data_ folder ### file-share (8001, 49154), Owner: galli-leo /services/file-share/docker-compose.yml C#, webassembly, blazor Possible DOS: can convert image files up to INT32_MAX (probably not allowed to exploit :() **PATCHED** Also patched for normal file upload, max is now 10MB Possible vuln in conversion process: filenames not escaped when passed to imagemagick Maybe not, not entirely sure if escaping is correct Ok filenames not escaped, leading to path traversal, I patched it a bit shittily but should hopefully work. Uses jwt for auth: ```json { "alg": "RS256", "kid": "Development", "typ": "at+jwt" } ``` Development sounds bad lol Seems like Development is ok, should create a fresh key every reboot Requests to 10.1.66.1:8001/api/fileshare/supersecret.svg not sure if that is flag or not Yep contains flag ### stldoctor (9090), Owner: Nspace `/services/stldoctor/docker-compose.yml` Looks like to be something working with stl files in C. Looks like a pwn challenge. [STL](https://en.wikipedia.org/wiki/STL_(file_format)) is a file format for 3D CAD models. One flag is saved both in the model file and sometimes in the info file. The flag in the model file is the name of the solid. The command that gives you access to those is search. You can log in once and when you do that, the result directory is set to $RESULTDIR/.{hash of password}. YOu can upload models without logging in (models are then saved in $RESULTDIR) or as a logged in user (in which case they are saved in $RESULTDIR/.{hash of password}). When logged in the name of a model is .{model hash}-{timestamp} When NOT logged in the name of a model is {model hash}-{timestamp} When saving a model the model is written to {modeldir}/"model", the infor to {modeldir}/"info" Search * ask you for a model name * hash the model name * opens {RESULTDIR}/.index and check if any of the lines matches the hash, if so prints the line and increments reflen * if no matching lines, exit * asks you to enter a name and then gives you that file. the name can be hex chars, dot and dash * handle_download({RESULTDIR}/{name}) possible path traversal here * first of all we can get a model uploaded by a non-logged in user as long as we know its hash and timestamp * handle_downloads checks if there is an info and prints it -> flag here * so basically need a way to get the model hashes/timestamps * the hash that is used to save the model is the The first bug is that the function that reads the model info back compares the return value of `getc` with EOF so we can trick it into believing that it's EOF by adding `\xff` ### gosship (2222), Owner: cyanpencil Is a (probably) a chat service in go. /services/gosship/docker-compose.yml * connect to it with ssh `<user>@10.1.66.1 -p 2222` * `<user>` can be chosen arbitrarily but on the first connect, the first public key ssh finds is associated with the chosen username is this based on [ssh-chat](https://github.com/shazow/ssh-chat)? ## Destructive Ranch [WebInterface](http://ranch.anize.rs/) for it, should your DNS not work use [this IP](http://34.65.235.194/) directly. The login username is: _root_ and the password: _L6ingx@R&bnn9&n4_ [GitHub:](https://github.com/0rganizers/DestructiveRanch) for documentation for how to use the start_sploit.py and so on. ## Firewalling The following DNATS are being set up: tcp dpt:9090 to:172.17.5.2:9000 tcp dpt:53273 to:172.17.3.2:53273 tcp dpt:2222 to:172.17.8.2:2222 tcp dpt:8220 to:172.17.9.5:80 tcp dpt:8221 to:172.17.9.6:5000 tcp dpt:8010 to:172.17.1.4:8080 tcp dpt:8011 to:172.17.1.5:80 tcp dpt:8005 to:172.17.10.2:8005 tcp dpt:8001 to:172.17.4.4:80 tcp dpt:49156 to:172.17.4.4:80 tcp dpt:4242 to:172.17.6.3:4242 tcp dpt:49168 to:172.17.19.2:3306 # ephemeral mysql, should be removed after patch tcp dpt:8081 to:172.17.20.2:80