2020 Metasploit Community CTF Write-up

This past weekend I organized a team of coworkers for a little time… ok a lot of time… team building and fun with technical hacking challenges. I’ve enjoyed past editions and looked forward to this one. They feel more real world than some of the other CTFs I’ve participated in the past.

Image for post
Image for post
Metasploit Community CTF

The SETUID Ace of Clubs (port 9009)

This challenge started with an unknown login to a server. Login as admin toget started. Turns out, everyone’s favorite admin/password worked. Not tricks, I just guessed. Once logged in, I looked around manually for anything interesting. Later i found some useful CTF and Linux escalation scripts that will help in the future. I soon found that we have an ace_of_clubs.png in the /etc folder, and in interesting vpn_connect executable in the /opt directory.

Image for post
Image for post
Our prize awaits with root privileges
Image for post
Image for post
Bash-based redirection
Image for post
Image for post
Bash reverse shell — but only as our user. :(
Image for post
Image for post
Correct User/Pass… overwritten flag. Time to revert!
Image for post
Image for post
Ghidra reversed it straight to source code. Beautiful.
Image for post
Image for post
Overwriting /etc/passwd
Image for post
Image for post
Image for post
Image for post
Confirmed root privileges
Image for post
Image for post
FTW

SpyHunter — Eight of Diamonds (port 5555)

Switching gears. This one is a type of challenge I’ve always wanted to take the time to solve: game automation. When you connect to the port you’re entered into what reminds me of SpyHunter — a driving game where you have to dodge other cars. If your ^ car is hit the game is over and the server tells you you're not as fast as a computer!

Image for post
Image for post
Rapid prototyping made easy
Image for post
Image for post
drive.py test run
Image for post
Image for post
Ready to Drive
Image for post
Image for post
Image for post
Image for post
Watching it move!
Image for post
Image for post
Image for post
Image for post

Password Functions — 4 of Clubs

This will be a short write-up, but it took me a long time. Everything you need for the challenge is right here:

Image for post
Image for post
The Challenge
Image for post
Image for post
Image for post
Image for post
Guessing a hash
Image for post
Image for post
Finally
Image for post
Image for post

Game Review — 2 of Spades

This was a straight forward SQL injection challenge with a twist in that the database is SQLLite based vs the more well-known MySQL exploit paths.

Image for post
Image for post
Image for post
Image for post
Ah, this is SQLite
Image for post
Image for post
Enumerate column numbers and output location
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post

Moose Gallery — 6 of Diamonds

File upload bypass and web shell

Image for post
Image for post
Don’t mind if I do!
Image for post
Image for post
Moose!
Image for post
Image for post
  1. The next level is to use a simple GIF image header GIF89a1 in front of your php shell payload, but that didn’t work either.
  2. Exif content fields in jpg images are known to work as well. Let’s go that route.
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
That directory looks interesting
Image for post
Image for post
There’s our flag!
Image for post
Image for post

Black Joker — I Hate Salt Password Cracking

This was a fun test of observation and having access to a password cracking setup. It probably wouldn’t take much time for even an underpowered system to solve this one.

Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post

Subdomain Brute-Force — 9 of Diamonds

This challenge took alittle Burp guesswork and Host header configuration. When you visit the initial page by IP address you get a redirection to intranet.metasploit.ctf which of course would fail in our browser as we don’t have an entry for that.

Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post

Answer Guessing — 3 of Spades

This was one of the first ones solved, but it’s a good example of how quickly brute forced queries can find things. Security through obscurity does not work.

Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post

Written by

Offensive cyber security and threat researcher

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store